Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East

Key Findings Introduction As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support […] The post Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East appeared first on Check Point Research .

Key Findings Introduction As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support […] The post Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East appeared first on Check Point Research . Key Findings During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors. The targeting extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus – countries that have also experienced significant missile activity linked to Iran. On March 1st, we additionally observed camera-targeting activity focused on specific areas in Lebanon. We also observed earlier, more targeted activity against cameras in Israel and Qatar on January 14–15. These dates surround with Iran’s temporary closure of its airspace, reportedly amid expectations of a potential U.S. strike. Taken together, these findings are consistent with the assessment that Iran, as part of its doctrine, leverages camera compromise for operational support and ongoing battle damage assessment (BDA) for missile operations, potentially in some cases prior to missile launches. As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity. Introduction As highlighted in the Cyber Security Report 2026 , cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts. In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus . This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors. Notably, we also identified earlier activity exhibiting similar patterns, dated January 14 , coinciding with the peak of anti-regime protests in Iran, a period during which Iran anticipated potential action from the United States and Israel and temporarily closed its airspace. Findings Check Point Research (CPR) continuously tracks infrastructure used by Iran-nexus threat actors. Starting February 28 , we observed a spike in targeting of IP cameras in several countries in the Middle East including Israel, UAE, Qatar, Bahrain, Kuwait and Lebanon, while also similar activity occurred against Cyprus. The attack infrastructure we track combines specific commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and virtual private servers (VPS), and is assessed to be employed by multiple Iran-nexus actors. Scanning activity we observed targets cameras such as Hikvision and Dahua and aligns with attempts to identify exposure to the vulnerabilities listed below. No attempts to interact with other camera vendors were observed from this infrastructure. The popular devices of Hikvision and Dahua are targeted with the following vulnerabilities: CVE Vulnerability CVE-2017-7921 An improper authentication vulnerability in Hikvision IP camera firmware CVE-2021-36260 A command injection vulnerability in the Hikvision web server component CVE-2023-6895 An OS command injection vulnerability in Hikvision Intercom Broadcasting System CVE-2025-34067 An unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform CVE-2021-33044 An authentication bypass vulnerability in multiple Dahua products Patches are available for all of the vulnerabilities listed above. As a case study, we conducted a deep dive into two of the CVEs listed above – CVE-2021-33044 and CVE-2017-7921 – and examined exploitation attempts originating from operational infrastructure we attribute to Iran, observed since the beginning of the year. Waves of activity against Israel: The spikes in this activity are closely aligned with geopolitical events around the same time: January 14-15 – While internal anti-regime protests in Iran peaked, Iranian officials and state media portrayed the unrest as a foreign-backed plot by Iran’s adversaries, including the United States and Israel and also closed its airspace. At the same time we also observe a wave of scans of cameras in the Iraqi Kurdistan. January 24 – The...