ctipilot.ch

Russian hijacking of IP cameras along NATO military-supply routes (2026-07)

campaign · campaign:russia-ip-camera-hijacking-nato-supply-routes-2026 single-source

AIVD/MIVD-disclosed (2026-07-11) compromise of internet-connected cameras reachable via default passwords or outdated firmware (including cameras operated by businesses along the routes) in the Netherlands, used by Russia-linked actors to monitor arms shipments to Ukraine. Triggered a coordinated NL/France/Germany/Finland ambassador summons and a NATO joint condemnation on 2026-07-13. No named Russian APT cluster was stated in the disclosure (NL Times/ANP, 2026-07-11 and 2026-07-13).

Coverage timeline
1
first 2026-07-13 → last 2026-07-13
Peak priority
notable
1 notable
Sources cited
2
1 hosts
Sections touched
1
active-threats
Co-occurring entities
1
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078.001Valid Accounts: Default Accounts×1

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Evidence: 2026-07-13/russia-ip-camera-hijacking-nato-military-supply-routes · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-13/russia-ip-camera-hijacking-nato-military-supply-routes · ATT&CK page ↗

Persistence TA0003

T1078.001Valid Accounts: Default Accounts×1

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Evidence: 2026-07-13/russia-ip-camera-hijacking-nato-military-supply-routes · ATT&CK page ↗

Privilege Escalation TA0004

T1078.001Valid Accounts: Default Accounts×1

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Evidence: 2026-07-13/russia-ip-camera-hijacking-nato-military-supply-routes · ATT&CK page ↗

Stealth TA0005

T1078.001Valid Accounts: Default Accounts×1

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Evidence: 2026-07-13/russia-ip-camera-hijacking-nato-military-supply-routes · ATT&CK page ↗

Story timeline

  1. 2026-07-13AIVD/MIVD: Russia-linked actors hijack default-credential IP cameras along NATO military-supply routes to monitor Ukraine-bound shipments
    active-threatsDutch intelligence: Russia hijacked default-credential internet cameras along military-supply routes; four EU states summon Russian ambassadors

Where this entity is cited

  • active-threats1

Source distribution

  • nltimes.nl2 (100%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Russian hijacking of IP cameras along NATO military-supply routes (2026-07) (1)

2026-07-13 · view entry permalink →

NOTABLENATOB2

AIVD/MIVD: Russia-linked actors hijack default-credential IP cameras along NATO military-supply routes to monitor Ukraine-bound shipments

Dutch intelligence services AIVD (General Intelligence and Security Service) and MIVD (Military Intelligence and Security Service) disclosed on 2026-07-11 that Russia-linked actors compromised "a small number" of internet-connected cameras positioned along routes used to move military supplies to Ukraine through the Netherlands — including cameras operated by businesses located on those routes — giving the operators remote viewing access to the shipments and equipment being moved (NL Times/ANP, 2026-07-11). The agencies state the cameras were reachable chiefly because they "still us[e] default passwords or outdated firmware" — weak/default-credential abuse and unpatched embedded firmware on internet-exposed devices, not a bespoke exploit chain. On 2026-07-13, after EU ministerial consultations in Brussels, the Netherlands summoned the Russian ambassador; France, Germany and Finland took the same step over related espionage and sabotage concerns, and NATO issued a joint statement condemning "the persistent malicious cyber activities of Russia" (NL Times/ANP, 2026-07-13). AIVD/MIVD separately warned businesses located along military-logistics routes to harden their camera and IoT security. This is a distinct technical story from the same-day FSB Centre 16 router-hijacking advisory and the Turla espionage attribution covered separately today — here the compromised asset class is consumer/commercial IP cameras used for physical-logistics surveillance.

Dutch intelligence services disclosed Friday that Russian actors had compromised “a small number of cameras” on routes for military shipments to Ukraine. The breaches allowed the hackers remote viewing access, according to statements from the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD).

We strongly condemn the persistent malicious cyber activities of Russia. The country uses its cyber ecosystem to attack allies and NATO partners.

NL Times (ANP) 2026-07-11
incident13 Jul 20:36Zsingle-sourceOpen finding ↗