More than 20 international agencies issued a joint cybersecurity advisory this week, warning of a Russian state-sponsored campaign that hacked into IP cameras of Western logistic and technology companies.
The advisory links the activity to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—commonly known as APT28 and Fancy Bear. It says that around the time of the invasion of Ukraine in late February 2022, the unit expanded its targets to logistics entities and technology companies involved in delivering aid to Ukraine.
The threat actors used a variety of methods to gain access, including credential guessing, spearphishing for credentials, spearphishing delivering malware, and exploitations of other vulnerabilities.
The targeted entities include organizations within North Atlantic Treaty Organization (NATO) member states, Ukraine, and other international organizations in air traffic management, the defense industry, IT services, maritime, and transportation and transportation hubs (ports, airports, etc.).
The threat actors likely used access to private cameras at key locations near border crossings, military installations, and rail stations to track the movement of materials into Ukraine.
“The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices and gain access to the cameras’ feeds,” the advisory said. “Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices.”
Successful responses to these requests would contain snapshots of the IP camera’s image and IP camera metadata, such as video codec (a process that compresses or decompresses video data), resolution, and other properties dependent on the camera’s configuration.
A sample available to the agencies that authored the advisory of more than 10,000 cameras targeted using this method showed a strong focus on cameras in Ukraine (81.0 percent of total attempts), followed by border countries of Romania (9.9 percent), Poland (4.0 percent), Hungary (2.8 percent), Slovakia (1.7 percent), and others (0.6 percent).
“This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organizations, including those involved in the delivery of assistance to Ukraine,” said Paul Chichester, the UK’s National Cyber Security Centre director of operations, which co-signed the advisory, in a statement. “The UK and partners are committed to raising awareness of the tactics being deployed. We strongly encourage organizations to familiarize themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
Andrew Kirsch, a former intelligence officer with the Canadian Security Intelligence Service and president of risk consultancy Kirsch Group, says that the government sharing of information is welcome and helpful because it often has access to extremely sensitive and pertinent information.
“In cases where the government relies on or works with private industry in the operations and security of our critical assets, it’s important they get this type of information to those partners so they can better protect themselves and therefore everyone,” Kirsch adds.
What Camera Access Reveals
As security practitioners well know, IP camera video surveillance systems are often used for monitoring, surveilling, and investigating events that occur at their facilities.
These cameras “are often set-up strategically around entrances, points of access to monitor movement and irregular activities in sensitive areas,” Kirsch says. “It would make sense that adversaries would want to have access to this information for their own purposes—specifically in the case of monitoring shipments, personnel, and logistics of adversaries.”
Will Knehr, global cybersecurity advisor at i-PRO, adds that access to video surveillance at the locations mentioned in the advisory gives threat actors valuable information on troop movements, guard rotations, security weak spots, and operational rhythms, which could be used for general intelligence and coordinating disruptive actions.
For instance, if a nation state wanted to attack a power plant video surveillance would provide insights on the physical security controls in place at the location—barriers, locks, fences, and guards—as well as the flow of people and equipment through the location.
“I can tell when shift changes happen, when the guards go on rotation or patrol, what brand names or models they use for their equipment, how well armed they are, what their uniforms look like, what their badges look like—the possibilities are endless,” Knehr says. “All of that information can be used to determine what the best plan of attack is (physical or cyber), when to do it, how to do it, etc.
“It’s also a wealth of information for their intelligence agencies. If Russia has compromised video systems in airports, shipyards, and rail stations—they can see how many troops are coming in, what countries they are staging up in, and equipment they are bringing in.”
While the threat seems to be mostly targeted at countries in Eastern Europe, “it is a reminder that infrastructure and logistics servers, security devices, and data are high value and high-priority topics,” says Salvatore D’Agostino, a member of the ASIS International IT Security Community Steering Committee. “It also highlights the fact that IP devices—and in particular IP surveillance cameras—are in the crosshairs of state actors.”
Security Next Steps
The advisory included indicators of compromise that organizations can use to assess their video surveillance systems to see if they have been affected.
It also included a host of measures private entities should take to mitigate the risk of this threat, such as using appropriate network segmentation, using automated tools to audit access logs for security concerns and to identify anomalous access requests, and blocking certain types of logins.
Kirsch emphasizes that it’s important to protect video surveillance systems to ensure the tools we use to enhance our own protection are not compromised and exploited against us.
“Surveillance systems are designed to capture and share information, and any data in transit is vulnerable to cyber compromise,” Kirsch says. “From the basic programming of the devices to ensuring that the users of the systems are practicing good cyber hygiene, it’s important to monitor for signs of compromise. Ongoing monitoring to detect irregular access or exfiltration of data can alert to a problem.”
Knehr adds that the threat actor was not using new or novel techniques to gain access to these IP cameras.
“Every single one of these loops back to poor cyber hygiene,” Knehr explains. “Default passwords for many devices can be found on the Internet, and integrators have a bad habit of reusing passwords across different projects. In short, using a password manager, updating the software and firmware on devices, vulnerability scanning, and basic cybersecurity training kill almost all the [tactics, techniques, procedures] in their tracks.”
Beyond the advisory, Knehr says that it is important to protect your video surveillance cameras like other critical IT assets. This includes using secure network configurations, regular patching and updates, unique passwords, password managers, and secure protocols. He also recommends segmenting these devices from core infrastructure, running vulnerability scans on IIoT networks, and making sure these networks are in your penetration testing scope, along with disabling unused ports and services on these devices and monitoring network traffic and device access.
“These networks and devices should be subject to the same rules, monitoring, and security testing that all core infrastructure networks are subject to,” Knehr says. “I recommend that all organizations set up a board that reviews and implements all projects, especially IT, IIoT, IoT, and OT devices. The board should consist of IT, cybersecurity, and physical security personnel, as well as other key stakeholders within the organization.”
D’Agostino adds that the advisory clearly shows the interdependence of physical and information security.
“The report itself is a result of the combined effort of many organizations from multiple countries to address the risk from state actors and their extensive set of hacking and attack tools,” D’Agostino explains “Both IT and physical security need to stay on top of reports of this kind and also with their relevant information sharing and analysis centers.”
