Russian hackers hacked 10,000 cameras to spy on supplies to Ukraine

The British The Guardian reported on a major cyberattack, which is behind the Russian GRU, namely unit 26165 — better known as APT28 or Fancy Bear. According to the British National Cyber ​​Security Center (NCSC) and allies, hackers gained one-time access to images from 10,000 surveillance cameras installed at border crossings, railway junctions and military facilities in Ukraine, as well as Poland, Romania, Slovakia and Hungary.

What happened

The hackers used the cameras for a one-time capture of the situation – they received “snapshots of the moment”, rather than a continuous broadcast. However, this turned out to be enough to analyze the routes of supplying weapons and humanitarian aid to Ukraine.

Here is how the access points were distributed:

• 80% of cameras — in Ukraine (~8000 devices)
• 10% — in Romania (~1000)
• 4% — in Poland (~400)
• 2.8% — in Hungary (~280)
• 1.7% — in Slovakia (~170)
• ~150 cameras — geography is not installed

APT28 has previously been implicated in investigations into the hacking of the US Democratic Party’s servers in 2016, as well as in the World Anti-Doping Agency data leak. But the current operation is one of the largest and most technical, aimed at the backs of support for Ukraine.

Attack methods

The cameras are only part of the scheme. The operation also used:

• phishing emails with questionable content (including for adults)
• fake profiles of civil servants
• voice calls impersonating officials
• attempts to steal logistics documents: manifests, train schedules, and supply routes

The United States, Great Britain, Germany, and France issued a joint statement condemning Russia’s actions and calling for increased cyber defense of critical infrastructure. NCSC spokesman Paul Chichester said APT28’s actions “pose a serious threat” to organizations providing assistance to Ukraine.

Cybersecurity experts recommend the following measures:

• enabling multi-factor authentication
• segmenting video surveillance networks
• updating IP camera firmware
• blocking VPN access from unknown addresses
• monitoring requests via RTSP (video streaming protocol)

Special attention should be paid to the protection of the RTSP protocol, which is often used in IP cameras and allows remote control of streams – it was through it that the images could be captured.

The attack confirms that cyberwar remains the most important tool of pressure for the Russian Federation. This time, its target is not combat units, but logistics – a vital channel on which the stability of Ukraine’s defense depends.