The Russian military intelligence service (GRU) has targeted thousands of surveillance cameras across Romania and other NATO member states bordering Ukraine in an attempt to monitor the flow of military and humanitarian aid to Kiev, according to a new investigation involving the United States and several European countries.
The extensive cyber espionage campaign, which was attributed to the notorious GRU unit 26165, began after Russia launched its full-scale invasion of Ukraine in February 2022.
Also known as APT28 or Fancy Bear, Unit 26165 is a cyber group known for high-profile espionage campaigns against Western governments and the defense and logistics sectors.
Investigators said that of the approximately 10,000 compromised IP addresses, nearly 1,000 belonged to security cameras in Romania — making it the second most affected country after Ukraine itself. Other countries targeted include Poland, Hungary and Slovakia.
Russian hackers used sophisticated "spearphishing" techniques - sending personalized emails to trick users into giving their login credentials to fake websites, according to investigators.
In some cases, they also distributed malware hidden in pornographic material. After gaining access, the attackers collected sensitive data from the cameras, including location, model, software version, and user data.
This approach allowed Russian operatives to monitor in real time strategic locations such as border crossings, military bases, railway stations, and ports – particularly those involved in transporting aid to Ukraine.
According to the investigation, the goal was to gather information about the routes and timing of Western aid shipments crossing the border into Ukraine as it was trying to repel Russian occupying forces.
Romania, with a 650-kilometer border with Ukraine, is a key transit point for refugees and aid. Points such as Siret, Sighetu Marmatiei and Galati, as well as ports on the Danube, have seen a huge influx since the start of the war more than three years ago.
While the exact routes of military aid remain classified, the exposure of surveillance infrastructure poses a serious security risk.
One notable vulnerability relates to the widespread use of Chinese security cameras (particularly Hikvision and Dahua) in Romania, including by state agencies, the military, border police, and even the Parliament. These brands have been banned or restricted in the US and other Western countries due to security concerns, but remain widespread in Romania.
Romanian intelligence services did not participate in the multinational investigation led by the United States, Britain, Germany, France, Poland, Estonia and the Czech Republic.
In response to questions from Radio Free Europe/Radio Liberty's Romanian Service, Romania's Ministry of Defense said that "there is no regulatory or supervisory authority for the installation and operation of surveillance systems by individuals or legal entities in Romania."
However, the ministry added that relevant authorities are taking “the necessary measures to prevent the unauthorized collection of information not intended for the public, regarding military units and their activities.”
Radio Free Europe has also contacted Romania's Intelligence Service and the Directorate for Cybersecurity for comment./ REL (A2 Televizion)
A2 CNN Livestream
MUND TE LEXONI GJITHASHTU
