Russian Agents Hack Webcams to Guide Missile Attacks on Kyiv

The Security Service of Ukraine (SSU) has asked owners and operators of webcams in the country to stop broadcasts from their devices over concerns about Russia's intelligence services using the feeds to conduct military reconnaissance against strategic targets.

The SSU's move follows a recent incident where Russian agents hacked into two residential webcams in Kyiv to gather information on the city's air defense systems prior to launching a missile attack on the Ukrainian capital.

Residential Webcams

In a statement, the SSU described one of the webcams as being located on top of a Kyiv apartment building — apparently near a critical infrastructure facility — and being used by the condo association to monitor the surrounding area. Russian intelligence services hacked into the camera, changed its viewing angle, and streamed its live feed to YouTube from which they monitored everything within the camera's range.

The second camera too was located at a residential complex in Kyiv, this one for monitoring the building's parking facility. Russian agents took control of the webcam the same way they did with the first and used it to gather information on an adjacent critical infrastructure facility. "The aggressor used these cameras to collect data to prepare and adjust strikes on Kyiv," the SSU said. "Based on the uncovered facts, the SSU is acting to neutralize new attempts by the invaders to conduct reconnaissance and sabotage through online cameras."

So far, this has meant blocking the operation of some 10,000 IP cameras in Ukraine that Russia could have used to inform its missile attacks on the country, the SSU said. In its statement, the state security agency reminded citizens and operators of street webcams in the country about their obligation not to broadcast video and images that Russia could use for targeted attacks. "Remember: it is forbidden to film and publish photos and videos of the operation of the Defence Forces and the consequences of enemy attacks," the SSU said. "The publication of such material on the Internet is considered to be adjustment of enemy fire and is subject to criminal liability."

The Broader Threat

Russia's hacking of IP cameras and the country's use of them in carrying out air attacks against Ukraine highlights the risks associated with webcams and insecure IoT devices in general. "Within the IoT landscape, IP cameras are the low-hanging fruit for cyberattacks," says Bud Broomhead, CEO of Viakoo. He points to a 2021 report from Palo Alto Networks that identified IP cameras as the least secure IoT devices, followed by Internet-connected printers.

In the Ukraine-Russia and Israel-Hamas conflicts, both sides have been hacking into IP cameras and other IoT systems to gain intelligence, promote propaganda, and enable lateral movement into other systems, Broomhead says. "The reason is that many surveillance cameras are not maintained the way that IT systems are; they are managed outside of IT and often are 'set it and forget it,' and therefore lack proper cyber hygiene around firmware patching, password rotations, and certificate management."

The apparent ease with which Russian agents managed to compromise the IP cameras in Kyiv highlights the lack of robust security features in many widely deployed IoT products. These include features such as strong authentication mechanisms, regular security updates, and the ability to monitor and detect suspicious activities, says Callie Guenther, senior manager, cyber threat research at Critical Start.

"For organizations, especially those in sectors reliant on IoT and ICS, the key takeaway is the urgent need to prioritize security in their digital transformation strategies," Guenther says. "This includes conducting regular security assessments, implementing a robust security framework tailored to their specific operational environment, and ensuring continuous monitoring and incident response capabilities."

Concerns over IoT security prompted the National Institute of Standards and Technology to propose a new encryption standard in February 2023 for connected devices based on a group of algorithms known as Ascon. NIST has described the standard as designed for even the most lightweight IoT devices — such as IP cameras, medical devices, and stress detectors on roads and bridges. However, security experts expect it will be sometime yet before IoT vendors begin implementing the new standard in any meaningful way, given how far behind most of them are in implementing even basic security protections.