Russia Hacks Doorbell Cameras To Spy On NATO Bases

Russian actors hijack unsecured IP cameras to surveil NATO routes

Russian hackers have been exploiting unsecured doorbell cameras and other internet-connected devices to spy on NATO military bases and weapons transport routes. This attack, revealed by Dutch intelligence, highlights the severe risks associated with poorly secured IP cameras and the consequences for organisations in the UK and across Europe.

How Russian Hackers Exploited Doorbell Cameras

The use of doorbell cameras and similar IP-based security devices has increased significantly in recent years, both at homes and within businesses. According to Dutch intelligence agencies AIVD and MIVD, Russian threat actors targeted these devices specifically along critical NATO military sites and weapons transport routes supporting Ukraine. The compromised cameras were used to gather ground-level surveillance data that is otherwise difficult to obtain with drones or satellites.

The attacks came to light in July 2024 after a detailed investigation by Dutch authorities. The agencies warned affected organisations with IP cameras on or near military routes, urging immediate action to secure their devices. The countries directly affected include the Netherlands and Ukraine, but the risk is relevant to all NATO member states, including the UK, where similar camera deployments are common.

Technical Details: Attack Timeline and Methods

The hackers took advantage of several common security weaknesses found in many internet-connected cameras, including:

  • Default or easily guessable passwords still in use
  • Outdated firmware containing unpatched vulnerabilities
  • Standard configurations that expose devices to the public internet

By using publicly available scanning tools, the attackers systematically searched for exposed devices. Once a vulnerable camera was identified, they attempted to access its video feed directly over the internet. This process was described as “relatively easy” due to the widespread lack of basic security controls on many devices.

The compromised cameras included not only traditional security cameras but also consumer-grade doorbell systems, which are often overlooked as potential surveillance targets. The hackers leveraged these feeds to monitor the movement of military vehicles and personnel, gaining valuable intelligence with minimal risk of detection.

Attack Timeline

  • Pre-July 2024: Russian threat actors began scanning for vulnerable IP cameras along NATO routes.
  • Early July 2024: Dutch intelligence completed their investigation and notified affected organisations.
  • Ongoing: Intelligence agencies warn that similar attacks may continue, with many devices globally still at risk.

While the exact number of compromised cameras was not disclosed, the agencies emphasised that the practice is widespread and “easier and cheaper than using drones or satellites.” The attackers’ ability to remain undetected is enhanced by the fact that most camera owners are unaware their devices are broadcasting to the internet.

Which Devices and Organisations Are Affected?

The attacks targeted a range of IP-connected security devices, but doorbell cameras have been highlighted as particularly at risk. These devices are popular with both consumers and small businesses, including in the UK, and often lack robust security settings out of the box.

Any organisation with IP cameras monitoring external areas—especially those near military, governmental or critical infrastructure sites—may be vulnerable if their devices:

  • Are accessible from the internet
  • Have not changed default credentials
  • Lack up-to-date firmware or security patches

Specific product and firmware versions were not named in the Dutch intelligence disclosure, but the vulnerabilities are considered generic and affect many popular camera brands. The risk is heightened for small and medium-sized businesses (SMBs) that may not have dedicated IT security teams to manage these devices.

Current Exploitation Status and Mitigations

The Dutch government has issued warnings to affected organisations, but there is evidence that similar attacks are ongoing. Many internet-connected cameras remain exposed, either due to poor configuration or a lack of awareness about the risks. The agencies stress that reconnaissance using these methods is now a preferred tactic for Russian intelligence, given its low cost and operational stealth.

For UK SMBs and other organisations using IP cameras, the recommendations are clear and urgent:

  • Change default passwords on all internet-facing devices
  • Update firmware to the latest version as soon as possible
  • Restrict camera access to trusted local networks and disable remote viewing unless absolutely necessary
  • Monitor device logs for unusual access attempts

Why This Event Matters for UK Organisations

This campaign demonstrates that even consumer-grade devices can be weaponised for state-level espionage. The ease with which Russian hackers accessed unsecured cameras shows that physical locations and sensitive operations can be exposed by overlooked weaknesses in basic security. For UK businesses, especially those near critical infrastructure or with sensitive operations, this is a direct call to review the security of all connected cameras and IoT devices.

Immediate Steps for Affected Organisations

  • Conduct an audit of all IP-connected cameras and devices
  • Immediately change any default or weak passwords
  • Apply security updates and patches to all devices
  • Consider professional security assessments of critical surveillance systems

Prompt action will help reduce the risk of these devices being exploited for surveillance or operational intelligence by hostile actors.

Originally reported by tech.slashdot.org.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Category
Cyber Attacks
Published
Jul 10 - 2026
Post Tags
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call