Inside Russia’s Camera-Hacking Espionage Campaign

Research, Threat Intelligence

A new joint report, published last week by the Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD), reports that Russian state actors are conducting digital espionage through hacking Internet-connected cameras in the Netherlands and other EU and NATO countries, as well as Ukraine.

Conducting espionage through hacked cameras isn’t new. In March, we wrote a blog post about malicious activity targeting IP cameras following the onset of the conflict in Iran. Years earlier, it was Dutch intelligence themselves who had hacked security cameras to gain insight into activities of the Russia-aligned actor APT29, also known as Cozy Bear.

In this case, the services say the goal of the hacking campaign is to gain insights into military transport routes, weapon deliveries to Ukraine, and the locations of Ukrainian military personnel. Captured imagery is analyzed using image recognition software to conduct targeted services.

The increased availability of artificial intelligence (AI) has made this latter task a lot easier. AI can also be used to correlate data gathered by different cameras to turn individual data points into a bigger picture about transport routers and military locations. Thus a single camera in a public location, such as a security camera at a petrol station, can still play a role in the espionage campaign.

Examining Cameras on the Internet

There are a great many cameras connected to the Internet. Censys data shows that in the Netherlands there are more than 45,000 such cameras: cameras that can be directly accessed from the public Internet through their IP address.

Having a camera publicly accessible doesn’t make it hackable. But almost 2,000 of the hosts running those cameras appear to contain an unpatched vulnerability that is known to have been exploited in the wild. This does not include zero-day vulnerabilities, vulnerabilities for which in-the-wild exploitation isn’t known yet, or devices with weak or compromised credentials.

A small caveat is that this doesn’t mean the camera software itself is vulnerable: many hosts run multiple services and the CenQL query merely looks for potentially vulnerable versions of any service. If we restrict ourselves to known exploited vulnerabilities in camera software itself, the query currently returns 541 services. However, as access to one service can often be used to take over the full host, we consider the broader query to give all hosts of concern. The same caveat applies to the table later in this blog post.   

This includes 159 hosts that appear to be vulnerable to CVE-2016-7407, an arbitrary code execution vulnerability in the Dropbear SSH service that has been known about since March 2017. 112 cameras in the Netherlands are likely vulnerable to CVE-2021-39275, a five-year old buffer overflow vulnerability in the Apache HTTP Server.

Of course, vulnerable cameras aren’t unique to the Netherlands. Below is a table with the number of Internet-connected cameras and those with a known exploited vulnerability for each European country that is a member of the EU and/or NATO, as well as Ukraine.

CountryNumber of camerasNumber of cameras with a potentially exploited vulnerability
Albania2158206
Austria9280935
Belgium246591168
Bulgaria672772845
Croatia5627168
Cyprus237692
Czechia285292922
Denmark7326564
Estonia7350512
Finland4060811
France683178977
Germany655398401
Greece24623649
Hungary18235933
Iceland56621
Ireland133504918
Italy9920312678
Latvia8095496
Lithuania17564777
Luxembourg69958
Malta296561
Montenegro39313
Netherlands453861992
North Macedonia2065102
Norway4140477
Poland575344250
Portugal347131286
Romania647891963
Slovakia104531015
Slovenia3701160
Spain813718685
Sweden164314376
Turkey811483864
Ukraine604874097
United Kingdom1139627142

That makes more than 87,000 exploitable Internet-connected cameras, including more than 4,000 in Ukraine. And as mentioned previously, this number is a lower bound.

How to Protect Internet-Connected Cameras

The first step in preventing cameras on your network from being used in this way is to know what devices you have exposed in the first place.

Get Full Visibility of Your Attack Surface

Censys Attack Surface Management can help you identify everything on your attack surface — from cameras to old assets you didn’t realize were still Internet-connected.

Once identified, it is important to ensure the cameras run up-to-date firmware and software. 

Strong access control and, if possible, limiting direct access to IP cameras from the Internet also mitigate the risk of hacks.

Aside from these recommendations, the services’ report also suggests limiting cameras’ field of vision to keep irrelevant objects (that may be of interest to adversaries) out of view. 


Why not check right now if newer firmware or software is available? Here are the relevant pages for popular camera brands: Hikvision; Mobotix; Amcrest; Dahua; Hanwha; Bosch.


Conclusion

The use of hacked IP cameras by a Russian state actor is another example of how vulnerable Internet-connected devices are to state-aligned adversaries, even when these devices themselves don’t seem to contain any interesting data.

The same logic applies just as directly outside the military context: an unpatched camera at a manufacturing plant’s loading dock, an energy utility’s substation perimeter, or a bank branch’s exterior. 

These transcend IT liability. They’re a live feed of physical operations, revealing shift changes, shipping schedules, security patrol timing, or which entrances go unguarded overnight. Spying doesn’t require breaching the corporate network first; a single overlooked device with a years-old CVE can hand a competitor, criminal group, or state actor months of low-cost reconnaissance on how the physical site actually runs.

CTI teams can leverage Censys Platform to create a collection monitoring CVE-2016-7407-vulnerable Dropbear hosts in their territories. To see how Censys provides you with the intelligence and speed required to protect your attack surface, request a demo.

AUTHOR
Martijn Grooten
Principal Security Researcher

A former academic mathematician, Martijn has nearly two decades of experience in cybersecurity. He previously ran the Virus Bulletin Conference, a leading threat intelligence event, led investigations into a wide range of threat actors, and worked on cybersecurity initiatives for at-risk groups and individuals. At Censys ARC, he focuses on tracking threat actor infrastructure broadly, with a particular emphasis on APT groups.