The Security Service of Ukraine (SSU) announced this week that it has taken down two residential surveillance cameras that were hacked by Russia and abused to spy on air defense systems and critical infrastructure in Kyiv.
One of the cameras was located in a balcony and was used by its owner for monitoring the surrounding area of an apartment building. Russian threat actors remotely took control of the device and configured it to stream the captured video to YouTube.
The second camera was set up by its owner to monitor the car park of a residential complex. Hackers took control of the camera, which gave them visual information on the surrounding area.
According to the SSU, the information from these webcams, which exposed air defense systems and critical infrastructure facilities, was leveraged by Russia to aid its January 2 missile attack on Kyiv.
“In total, since Russia’s full-scale invasion, the SSU has blocked the operation of about 10,000 IP cameras that the enemy could have used to adjust missile attacks on Ukraine,” the SSU said, reminding individuals that they can face legal action if they publish videos or photos of defense force activities or enemy attacks.
“All conflicts today (and for the past 15 years) have had some element of leveraging vulnerable IoT/OT/ICS devices to gain a cyber advantage during wartime,” said Bud Broomhead, CEO at Viakoo, a California-based provider of automated IoT cyber hygiene.
“In both the Ukraine/Russia and Israel/Hamas conflicts both sides have been hacking into IP cameras and other IoT systems to gain intelligence, promote propaganda, and enable lateral movement into other systems,” Broomhead added. “The reason is that many surveillance cameras are not maintained the way that IT systems are; they are managed outside of IT and often are ‘set it and forget it’, and therefore lack proper cyber hygiene around firmware patching, password rotations, and certificate management.”
Ken Dunham, cyber threat director of Qualys’ Threat Research Unit, also commented on the story, saying, “Cameras and other forms of IoT, including audio and visual, provide a wealth of reconnaissance and control not previously available prior to our current generation of integrated ‘smart’ devices, creating new creative command and control not supported in former generations of hack and attack.”
“Organizations must prioritize SecOps for all areas of infrastructure, including physical security controls, segmented networks, and those considered air-gapped, as connections and capabilities often exist that complex networks may not realize until exploitation and lateral movement occur,” Dunham added. “Do not make the mistake or assumption of believing your security cameras are secure by being obscure in your segmented network – you must still prioritize and manage security for these devices, customized to the risk specific to your assets and adversaries.”
Related: Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras
Related: Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio
Related: The Lessons From Cyberwar, Cyber-in-War and Ukraine
