Russian Military Used Hacked Cameras in Missile Strike on Capital, Alleges Ukraine
Russia hacked video surveillance cameras as part of a massive air attack on Kyiv, according to Ukrainian security services.
Several countries have banned camera manufacturers in recent years over national security concerns, including that adversaries might exploit software vulnerabilities in a conflict. But this is the first known incident in which cameras were hacked as part of a military strike.
In this report, we examine the Ukrainian government's claims, the military advantages to Russia from hacking cameras, and how Ukraine is responding.
Hikvision Cameras Hacked in Strike on Kyiv
On January 2, 2024, after a Russian barrage of 300+ missiles and 200+ drones killed multiple people in Kharkiv and Kyiv, Ukraine's capital, the Security Service of Ukraine (SBU/SSU) announced it had uncovered that two "online surveillance cameras were hacked by Russian intelligence services to spy on the Defense Forces in the capital."
The cameras "broadcasted the work of [Ukrainian] air defenses" and other infrastructure, and "With the help of these cameras...the aggressor [Russia] collected data for preparing and adjusting strikes on Kyiv," as the SBU explained on YouTube:
The owner of one of the devices described in an interview with Espresso TV, a Ukrainian news channel, that he thought little of it when it started moving on its own. But after the January 2 strike, he saw footage from his camera on Telegram showing a Ukrainian missile defense battery in action outside his apartment window:
Telegram, a social media and messaging app, is popular in Eastern Europe and widely used by both the Ukrainian and Russian governments.
An official confirmed to Schemes, the investigations arm of Radio Free Europe/Radio Free Liberty (RFE/RL), that the devices were made by Hikvision. As the Ukrainian initiative Don't Fund Russian Army first suggested to IPVM, the apartment window camera appears to be a Hikvision DS-2CV2Q01FD-IW:
The SBU did not release information on how hackers hijacked the cameras, but several critical vulnerabilities in Hikvision software could be used. Alternatively, they could have exploited vulnerabilities in non-Hikvision software, as discussed further on.
Military Advantages of Hacking Surveillance Cameras
By hacking Ukrainian cameras, it is thought that Russia could gain several military advantages.
Video feeds could help plan strikes by identifying and precisely locating important infrastructure or air defense systems. During a strike, Russian commanders could leverage live feeds to confirm the destruction of Ukrainian targets and, if needed, call in further attacks or adjust targeting.
Yuri Butusov, a prominent journalist covering the war and Editor-in-Chief of the popular Ukrainian news site Censor.net, expounded on how Russia could exploit surveillance feeds in a May 2023 Facebook post.
Whereas the US military might employ satellites or aerial reconnaissance to plan and execute air strikes, he argues hacked camera feeds would be valuable given the Russian military's more limited capabilities:
Russian satellites do not have the ability to constantly scan the impact areas, and therefore the rapid release of data from video cameras is the best means of obtaining intelligence...The enemy receives accurate intelligence information about the organization and tactics of air defense operations thanks to stationary video cameras in large cities of Ukraine. [emphasis added]
Cameras can provide not only the approximate location of Ukrainian defenses but "observing the number of rocket launches from one point says a lot about the characteristics of missile defense systems," as well as their "ammunition stock."
For instance, a Russian commander could watch a live feed counting how many interceptor missiles have been launched and wait until it needs to reload - a lengthy process for Patriot missile systems - to strike, potentially leaving the system itself and the surrounding area defenseless.
Surveillance footage of air strikes can also be useful in military propaganda.
For instance, after the January 2 attack, well-known Kremlin propagandist Vladimir Solovyov posted video surveillance footage on his Telegram channel showing Russian missiles striking Kyiv:
Solovyov did not confirm how he obtained the footage.
Butusov argues this is "a huge problem for national security."
A huge problem of national security - our intelligence agencies and law enforcement still have no control over installing video cameras and streaming online videos from these cameras.
SBU Blocking Cameras, Warning Public of Risks
In its announcement of the January 2 hack, the SBU revealed that since the war began, it has blocked "about 10,000 IP cameras which the enemy could use to adjust missile attacks on Ukraine."
The SBU also urged the Ukrainian public to stop using cloud-connected surveillance. If they see streams online, they should report them to the SBU's "official chatbot."
The SBU calls on owners of street cameras to stop online broadcasts from their devices, and citizens to report detected streams from such cameras to the official chatbot of the SBU: https://t.me/stop_russian_war_bot.
Broader Risk to Ukraine from Russia, PRC China Cameras/Software
Cameras running PRC China or Russian software are more likely to be hacked by Russian forces and remain a significant risk for Ukraine. Don't Fund Russian Army told IPVM, "Most likely, Ukraine will need to replace such equipment."
A series of investigations by Kyrylo Ovsyaniy, a Ukrainian journalist with RFE/RL's Schemes, has revealed how Hikvision or Dahua cameras are widely used in Ukraine, including at sensitive sites like the Chernobyl nuclear power plant and in large public surveillance systems:
Hikvision and Dahua cameras and software account for 74 percent of the CCTV systems used in Ukraine’s national video-surveillance system for roads, streets, parks, apartment buildings, and other public spaces.
Many cameras in Ukraine also run VMS software from Trassir, owned by Moscow-based company DSSL. A Schemes investigation showed that Trassir routes surveillance footage through servers in Russia and alleges Trassir has FSB ties. CEO of DSSL Igor Oleynik denied this, telling IPVM, "Trassir is [a] commercial company and doesn't have any relation to FSB."
Nonetheless, the Ukrainian government issued an internal warning in May 2022 that "Trassir/DSSL cooperates with federal ministries and security sector services of the Russian Federation," according to Schemes.
Critical vulnerabilities have been repeatedly discovered in both Dahua and Hikvision software and could be exploited by Russia or even nonstate actors. Dahua and Hikvision's ties to the People's Liberation Army exacerbate these risks; given China's support for Russia's invasion of Ukraine, there is an increased chance that China would share information with Russia on how to defeat the security of Dahua and Hikvision devices.
According to Don't Fund Russian Army, "90% of video surveillance cameras in Ukraine are produced in China, which turned out to be a real Trojan horse for Kyiv. Due to existing cyber vulnerabilities, Russian special services easily gain access to cameras to adjust shellings of Ukrainian cities."
We could not find any publicly disclosed vulnerabilities associated with Trassir (or DSSL). However, Ukraine would be justified in avoiding the use of software from any Russian company. There is a significant risk that Trassir would share - willingly or not - data transiting its Russian servers with the government or assist the Russian military in hacking cameras running its software.