How Russia hacked webcams to aid missile, drone strikes on Kyiv

Russia hacked webcams to spy on Kyiv targets ahead of a deadly air raid this week, an example of how cyberattacks against internet-connected devices have become a part of modern warfare.

In a statement, Ukraine’s security service, the SBU, said it located and disabled two civilian surveillance cameras Russian operatives compromised so they could observe air defense systems and “critical infrastructure” ahead of massive missile and drone strikes on Jan. 2.

The attacks primarily targeted Kyiv and Kharkiv, Ukraine’s second largest city, and reportedly killed at least five people and injured 129. Power and internet services were also knocked out.

The SBU said Russia was able to remotely control the highjacked Kyiv webcams, giving it valuable intelligence that enabled it to fine-tune or “adjust” its strikes on the capital.

The Russians allegedly changed the viewing angle of one of the cameras, located on an apartment building balcony, and live-streamed the feed on YouTube.

Hacking the other camera, located at a residential complex, gave the attackers a live view of the surrounding area “including critical infrastructure facilities,” the SBU said.

The security service said since Russia’s invasion of Ukraine in February 2022, it had blocked about 10,000 IP cameras the attackers could have used to “adjust” missile attacks against Ukrainian targets.

Webcams as effective cyberwar weapons

For the past 15 years, waring nations have targeted vulnerabilities in industrial control systems, operational technology, and Internet of Things (IoT) devices to gain an advantage, said Bud Broomhead, CEO at Viakoo.

An early example was the Stuxnet worm which was developed from around 2007 to derail Iran’s burgeoning nuclear program by compromising supervisory control and data acquisition (SCADA) systems.

“In both the Ukraine/Russia and Israel/Hamas conflicts both sides have been hacking into IP cameras and other IoT systems to gain intelligence, promote propaganda, and enable lateral movement into other systems,” Broomhead said.

“The reason is that many surveillance cameras are not maintained the way that IT systems are. They are managed outside of IT and often are ‘set it and forget it,’ and therefore lack proper cyber hygiene around firmware patching, password rotations, and certificate management.”

Research by Palo Alto Networks’ Unit 42 in 2021 found that while security cameras make up only 5% of enterprise IoT devices, they account for 33% of all security issues.

“The world of cyber and conventional warfare is a powerful combination with IoT integration and interdependency in 2024,” said Ken Dunham, cyber threat director at the Qualys Threat Research Unit.

“Cameras and other forms of IoT, including audio and visual, provide a wealth of reconnaissance and control not previously available prior to our current generation of integrated ‘smart’ devices, creating new creative command-and-control not supported in former generations of hack and attack.”

Callie Guenther, senior manager, cyber threat research at Critical Start, said the Kyiv incident was a reminder that IoT security was lagging behind the pace of technological adoption.

“Many IoT devices lack robust security features, such as strong authentication mechanisms, regular security updates, and the ability to monitor and detect suspicious activities,” Guenther said.

“As IoT devices become more ubiquitous and integral to critical operations, their security implications become more significant.

In its statement on Russia’s webcam hacking, the SBU urged Ukrainians to take all cameras offline and to report any live streams they were aware of. The security service reminded citizens it was illegal to film and publish military activity, and doing so was punishable by up to 12 years’ imprisonment.