Western intelligence agencies say Russia may have tried to take control of at least 1.000 surveillance cameras in Romania since 2022.
Russia's military intelligence service (GRU) targeted thousands of surveillance cameras across Romania and other NATO countries bordering Ukraine in an attempt to monitor the flow of military and humanitarian aid to Kiev, according to a recent investigation involving the United States (US) and several European countries.
This extensive cyber espionage campaign, attributed to the notorious GRU Unit 26165, began after Russia launched a full-scale invasion of Ukraine in February 2022.
Also known as APT28 or Fancy Bear, GRU Unit 26165 is a cyber group responsible for high-profile espionage campaigns against Western governments, defense, and logistics sectors.
Investigators said that of the approximately 10.000 compromised IP addresses, nearly 1.000 belonged to surveillance cameras in Romania – making it the second most affected country after Ukraine itself. Other targeted countries include Poland, Hungary and Slovakia.
Russian hackers used sophisticated spearphishing tactics – sending personalized emails designed to trick users into revealing their login details on fake websites, investigators said.
In some cases, they distributed malware hidden in pornographic material. Once they gained access, the attackers were able to collect sensitive metadata from the cameras, including their location, model, software version, and user information.
This approach allowed Russian operatives to monitor strategic locations, such as border crossings, military installations, train stations, and ports – particularly those involved in transporting aid to Ukraine – in real time.
According to the investigation, the goal was to gather intelligence on the routes and timing of Western support deliveries crossing the border and entering Ukraine as it fought Russian troops.
Romania, with its 650-kilometer border with Ukraine, is a key transit country for refugees and aid. Key border points such as Siret, Sighetu Marmariei and Galati, as well as ports on the Danube, have seen intense activity since the start of the war more than three years ago.
Although the exact routes of military aid remain confidential, the exposure of surveillance infrastructure poses serious security risks.
A significant vulnerability stems from the widespread use of Chinese surveillance cameras (particularly Hikvision and Dahua) in Romania, including by government agencies, the military, border police, and even the Parliament. These brands are banned or restricted in the US and other Western countries due to security concerns, but they remain widespread in Romania.
Romanian intelligence services did not participate in the multinational investigation led by the US, Britain, Germany, France, Poland, Estonia and the Czech Republic.
In response to questions from Radio Free Europe/Radio Liberty (RFE)'s Romanian service, the Romanian Ministry of Defense stated that it "has no regulatory or supervisory powers regarding the installation and operation of surveillance systems by individuals or legal entities in Romania."
The ministry added, however, that relevant authorities are taking "necessary measures to prevent the unauthorized collection of information not intended for public release regarding their military units and their activities."
RFE/RL also contacted the Romanian Intelligence Service and the Cybersecurity Directorate for comment.
Bonus video:
