For years, security experts have been warning that IoT devices like security cameras are a weak link for companies. They are often made in China with passwords and updates never updated.
The Financial Times tells how the head of a Ukrainian cybersecurity company recruited dozens of "Ukrainian hackers" and borrowed a Starlink internet satellite for "the large-scale infiltration of internet-connected security cameras to surveil Russian-occupied territory, and honey-trapping Russian soldiers into revealing their bases."
They hacked thousands of security and traffic cameras in Belarus and parts of Ukraine that Russia had occupied. To filter the information, the team wrote machine-learning code that helped them separate military movements from ordinary traffic, and they funnelled the information to the military via a public portal.
One remote Russian base near occupied Melitopol in southern Ukraine was targeted. Then, using fake profiles of attractive women on Facebook and Russian social media websites, they tricked soldiers into sending photos that they geolocated, and shared with the Ukrainian military.
A few days later, they watched on TV as the base was blown up by Ukrainian artillery.