The Dutch findings are not isolated. They align with a much larger, well-documented campaign:
May 2025 Joint Cybersecurity Advisory: More than 20 international agencies (including the U.S. NSA, FBI, CISA, the UK NCSC, and allied European cyber agencies) issued a joint advisory warning that Russia's GRU Main Intelligence Directorate — specifically Unit 26165 (APT28 / Fancy Bear) — was running a state-sponsored campaign specifically targeting IP cameras of Western logistics and technology companies involved in moving Ukraine aid . The advisory notes this campaign has been active since at least 2022
.
UK intelligence disclosures: British intelligence separately warned in May 2025 that a GRU unit had gained access to border crossing cameras, traffic cameras, railway station cameras, and other surveillance systems at key European points of entry, specifically to monitor and potentially disrupt the flow of Western military aid into Ukraine .
Linked activities: In April 2025, the MIVD reported that Russian state-backed hackers had also attempted a sabotage attack against the digital operating system of a Dutch public facility — the first known such sabotage attempt in the Netherlands .
The core vulnerability exploited is trivial: consumer-grade IP cameras and doorbell cameras with default or weak passwords, unpatched firmware, or direct internet exposure. These devices are ubiquitous, poorly secured by design, and scattered across civilian infrastructure — including homes and small businesses located on logistical routes. Russian actors did not need to breach highly protected NATO networks directly; they simply surveilled what was already visible from unsecured civilian cameras along the supply chain.
The GRU's traditional focus was battlefield and military networks. Since 2022, it has pivoted to targeting Western logistics entities and technology companies that coordinate, transport, and deliver aid to Ukraine . The goal is twofold: intelligence collection (real-time tracking of weapons shipments) and potential disruption (threatening to sabotage or publicly expose the movement of military supplies).
Dutch intelligence has stated that Russia is ramping up hybrid attacks against Europe, and that the Netherlands is facing its biggest security threat in decades . The camera-hijacking campaign is part of a pattern that also includes:
In April 2026, Dutch intelligence reiterated that Russia's hybrid warfare posture is escalating across cyber, sabotage, and espionage domains .
Because IP cameras are owned by private civilians and small businesses along public roads, traditional NATO perimeter defense does not cover them. The threat exposes a structural vulnerability: state adversaries can exploit the massive, unregulated IoT attack surface that exists outside formal military security boundaries. The joint advisory specifically urges logistics companies and technology providers to inventory all internet-connected devices, change default credentials, and segment networks .
The Dutch intelligence disclosures — corroborated by joint advisories from the U.S., UK, France, Germany, and other NATO allies — confirm that Russian GRU-linked hackers have been hijacking unsecured civilian IP cameras (including doorbell cameras) near NATO bases and along European transit corridors to conduct real-time surveillance of weapons shipments to Ukraine. This is not a one-off incident but part of a sustained, state-directed hybrid campaign targeting the entire Western logistics supply chain, exploiting the pervasive insecurity of consumer IoT devices, and representing a growing hybrid threat that NATO states are structurally underprepared to counter.