AIVD/MIVD-disclosed (2026-07-11) compromise of internet-connected cameras reachable via default passwords or outdated firmware (including cameras operated by businesses along the routes) in the Netherlands, used by Russia-linked actors to monitor arms shipments to Ukraine. Triggered a coordinated NL/France/Germany/Finland ambassador summons and a NATO joint condemnation on 2026-07-13. No named Russian APT cluster was stated in the disclosure (NL Times/ANP, 2026-07-11 and 2026-07-13).
2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)
Initial Access TA0001
T1078.001Valid Accounts: Default Accounts×1
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.
active-threatsDutch intelligence: Russia hijacked default-credential internet cameras along military-supply routes; four EU states summon Russian ambassadors
Where this entity is cited
active-threats1
Source distribution
nltimes.nl2 (100%)
Co-occurring entities
Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.
Dutch intelligence services AIVD (General Intelligence and Security Service) and MIVD (Military Intelligence and Security Service) disclosed on 2026-07-11 that Russia-linked actors compromised "a small number" of internet-connected cameras positioned along routes used to move military supplies to Ukraine through the Netherlands — including cameras operated by businesses located on those routes — giving the operators remote viewing access to the shipments and equipment being moved (NL Times/ANP, 2026-07-11). The agencies state the cameras were reachable chiefly because they "still us[e] default passwords or outdated firmware" — weak/default-credential abuse and unpatched embedded firmware on internet-exposed devices, not a bespoke exploit chain. On 2026-07-13, after EU ministerial consultations in Brussels, the Netherlands summoned the Russian ambassador; France, Germany and Finland took the same step over related espionage and sabotage concerns, and NATO issued a joint statement condemning "the persistent malicious cyber activities of Russia" (NL Times/ANP, 2026-07-13). AIVD/MIVD separately warned businesses located along military-logistics routes to harden their camera and IoT security. This is a distinct technical story from the same-day FSB Centre 16 router-hijacking advisory and the Turla espionage attribution covered separately today — here the compromised asset class is consumer/commercial IP cameras used for physical-logistics surveillance.
Dutch intelligence services disclosed Friday that Russian actors had compromised “a small number of cameras” on routes for military shipments to Ukraine. The breaches allowed the hackers remote viewing access, according to statements from the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD).
We strongly condemn the persistent malicious cyber activities of Russia. The country uses its cyber ecosystem to attack allies and NATO partners.