Naked Security Naked Security

Spy vs. Spy – “Cozy Bear” election hackers undone by hackable security camera

Dutch counter-hackers spy on "Cozy Bear" election hackers using hackable security camera.

The Dutch public broadcaster, NOS, just published an fascinating flag-waving Spy vs. Spy story about how the Dutch intelligence services helped the US fight off cyberattacks during the last US elections.
The article, entitled Hackteam AIVD gaf FBI cruciale info over Russische inmenging verkiezingen (Dutch Intelligence hacking team gave FBI vital information about Russian election interference), presents a timeline of what you might call counter-hacking starting back in 2014.
[There’s an English version of the article online, but it’s a rewrite, not a translation.]


One of the claims made is that the Dutch counter-hackers were able to infiltrate a Russian cybergang known as Cozy Bear and keep an eye on them.
And when we say “keep an eye on”, we mean it quite literally.
Apparently, the Dutch penetrated a security camera in the corridor leading to the hackers’ office, giving the counter-spies a view of everyone who came and went – information that was shared with US intelligence.
The Cozy Bear crew, it seems, didn’t realise that they’d been counter-hacked and betrayed by their own network.
NOS continues by saying that there were “about 10 people” in the Cozy Bear group, an imprecision that suggests either that the hacked camera didn’t have very good image quality, or that some of the group worked off-site.
Nevertheless, it’s an almost delightful irony that the hackers’ own security precautions were turned against them.
Two-faced CCTV cameras are, sadly, not a new topic on Naked Security.
The current trend to “internetify” as many devices as possible – what’s known as the IoT, or Internet of Things – is happening at such a dramatic (and competitive) rate that security often takes back seat, or even no seat at all.
We’ve written about security blunders in IoT products from dolls to sex toys; from light bulbs to kettles; from routers to printers – and many other IoT devices, too.

What to do?

We don’t know exactly how the Dutch hacking team took over the camera in this story – it could have been via a security flaw in the camera itself, via the software that controlled the camera, or via some other related compromise on the hackers’ network.
But if you are planning on plugging in anything such as an internet enabled camera, thermostat or light switch at home, here are some tips to help you get started as safely as you can:

  • Make sure your device has been updated to the latest firmware. Firmware refers to the combined operating system plus software bundle that controls the device itself, usually stored on flash memory inside the unit. Vendors are supposed to ship security patches from time to time; these are usually applied by downloading them to your desktop or laptop computer and using a special app to “burn” them to the device. Find out your model number and check the vendor’s download pages regularly.
  • Make sure any remote access features are turned off before you go live. Many IoT devices come with a management app you can run on your desktop or laptop computer, so hunt around through the configuration options looking for any features to do with “remote administration”. Ideally, your IoT devices should be set up so they can be configured only from inside your network. That way, crooks have to break into your network and then into the device, instead of being able to hack away at the device itself remotely.
  • Make sure you’ve changed default passwords and chosen decent replacements. Many IoT devices come with default login credentials such as root/root, admin/admin, and other combinations that are widely circulated on the internet. Don’t make it easy for the crooks: learn how to pick a proper password.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)