Russian military intelligence (GRU) has targeted thousands of surveillance cameras across Romania and other NATO countries bordering Ukraine in an attempt to monitor the flow of military and humanitarian aid to Kyiv, according to a recent investigation involving the United States and several European nations.

The sweeping cyber-espionage campaign, attributed to the notorious GRU unit 26165, began after Russia launched its full-scale invasion of Ukraine in February 2022.

Also known as APT28 or Fancy Bear, GRU unit 26165 is a cyber group responsible for high-profile espionage campaigns against Western governments, defense, and logistics sectors.

Investigators said they found that out of approximately 10,000 compromised IP addresses, nearly 1,000 belonged to surveillance cameras in Romania -- making it the second most-affected country after Ukraine itself. Other targeted nations included Poland, Hungary, and Slovakia.

The Russian hackers used sophisticated spearphishing tactics -- sending personalized emails designed to trick users into revealing login credentials on counterfeit websites, investigators said.

In some cases, they distributed malware hidden in pornographic material. Once access was gained, attackers could collect sensitive metadata from the cameras, including their location, model, software version, and user information.

This access allowed Russian operatives to monitor strategic sites in real time, such as border crossings, military installations, railway stations, and ports -- especially those involved in transporting aid to Ukraine.

According to the investigation, the goal was to gather intelligence on the routes and timing of Western support shipments that were flowing over the border and into Ukraine as it fought to repel invading Russian troops.

Romania, with its 650-kilometer border with Ukraine, is a crucial transit country for both refugees and aid. Key border points like Siret, Sighetu Marmației, and Galați, as well as Danube ports, have seen intense activity since the war began over three years ago.

While the exact routes of military aid remain classified, the exposure of surveillance infrastructure poses serious security risks.

A notable vulnerability stems from the widespread use of Chinese-made surveillance cameras (notably Hikvision and Dahua) in Romania, including by government agencies, the military, border police, and even Parliament. These brands have been banned or restricted in the US and other Western nations over security concerns, but remain prevalent in Romania.

Romanian intelligence services did not take part in the multinational investigation led by the United States, Britain, Germany, France, Poland, Estonia, and the Czech Republic.

In response to questions from RFE/RL’s Romanian Service, Romania’s Defense Ministry said it "does not have regulatory or oversight authority regarding the installation and operation of surveillance systems by individuals or legal entities in Romania."

The ministry added, however, that relevant authorities were taking "necessary measures to prevent the unauthorized collection of information not intended for public disclosure regarding its military units and their activities."

RFE/RL has also reached out to the Romanian Intelligence Service and the Directorate for Cybersecurity for comment.