ctipilot.ch
← Back to the live brief
NOTABLENATOB2incident

AIVD/MIVD: Russia-linked actors hijack default-credential IP cameras along NATO military-supply routes to monitor Ukraine-bound shipments

discovered 2026-07-13 20:36 UTCrun 2026-07-13T2009Z-intel2 sourcessingle-source

Dutch intelligence services AIVD (General Intelligence and Security Service) and MIVD (Military Intelligence and Security Service) disclosed on 2026-07-11 that Russia-linked actors compromised "a small number" of internet-connected cameras positioned along routes used to move military supplies to Ukraine through the Netherlands — including cameras operated by businesses located on those routes — giving the operators remote viewing access to the shipments and equipment being moved (NL Times/ANP, 2026-07-11). The agencies state the cameras were reachable chiefly because they "still us[e] default passwords or outdated firmware" — weak/default-credential abuse and unpatched embedded firmware on internet-exposed devices, not a bespoke exploit chain. On 2026-07-13, after EU ministerial consultations in Brussels, the Netherlands summoned the Russian ambassador; France, Germany and Finland took the same step over related espionage and sabotage concerns, and NATO issued a joint statement condemning "the persistent malicious cyber activities of Russia" (NL Times/ANP, 2026-07-13). AIVD/MIVD separately warned businesses located along military-logistics routes to harden their camera and IoT security. This is a distinct technical story from the same-day FSB Centre 16 router-hijacking advisory and the Turla espionage attribution covered separately today — here the compromised asset class is consumer/commercial IP cameras used for physical-logistics surveillance.

Dutch intelligence services disclosed Friday that Russian actors had compromised “a small number of cameras” on routes for military shipments to Ukraine. The breaches allowed the hackers remote viewing access, according to statements from the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD).

We strongly condemn the persistent malicious cyber activities of Russia. The country uses its cyber ecosystem to attack allies and NATO partners.

NL Times (ANP) 2026-07-11

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1078.001Valid Accounts: Default Accounts

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

overlap matrix · ATT&CK page ↗

T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1078.001Valid Accounts: Default Accounts

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1078.001Valid Accounts: Default Accounts

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1078.001Valid Accounts: Default Accounts

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.