Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East

Check Point Research identified intensified targeting of IP cameras (Hikvision and Dahua) across Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus starting February 28, attributed to Iran-nexus threat actors. The activity correlates with heightened regional tensions and missile activity linked to Iran. Attackers exploited known vulnerabilities (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, CVE-2021-33044) using commercial VPN infrastructure (Mullvad, ProtonVPN, Surfshark, NordVPN). The targeting pattern suggests operational support for battle damage assessment and potential pre-launch targeting. Organizations in the affected regions should immediately patch vulnerable camera firmware, monitor for unusual scanning activity, and implement network segmentation for IoT devices. This activity may serve as an early indicator of impending kinetic operations.

Key Findings Introduction As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support […] The post Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East appeared first on Check Point Research .

Check Point Research identified intensified targeting of IP cameras (Hikvision and Dahua) across Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus starting February 28, attributed to Iran-nexus threat actors. The activity correlates with heightened regional tensions and missile activity linked to Iran. Attackers exploited known vulnerabilities (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, CVE-2021-33044) using commercial VPN infrastructure (Mullvad, ProtonVPN, Surfshark, NordVPN). The targeting pattern suggests operational support for battle damage assessment and potential pre-launch targeting. Organizations in the affected regions should immediately patch vulnerable camera firmware, monitor for unusual scanning activity, and implement network segmentation for IoT devices. This activity may serve as an early indicator of impending kinetic operations. Key Findings Introduction As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support […] The post Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East appeared first on Check Point Research . Key Findings During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors. The targeting extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus – countries that have also experienced significant missile activity linked to Iran. On March 1st, we additionally observed camera-targeting activity focused on specific areas in Lebanon. We also observed earlier, more targeted activity against cameras in Israel and Qatar on January 14–15. These dates surround with Iran’s temporary closure of its airspace, reportedly amid expectations of a potential U.S. strike. Taken together, these findings are consistent with the assessment that Iran, as part of its doctrine, leverages camera compromise for operational support and ongoing battle damage assessment (BDA) for missile operations, potentially in some cases prior to missile launches. As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity. Introduction As highlighted in the Cyber Security Report 2026 , cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts. In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus . This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors. Notably, we also identified earlier activity exhibiting similar patterns, dated January 14 , coinciding with the peak of anti-regime protests in Iran, a period during which Iran anticipated potential action from the United States and Israel and temporarily closed its airspace. Findings Check Point Research (CPR) continuously tracks infrastructure used by Iran-nexus threat actors. Starting February 28 , we observed a spike in targeting of IP cameras in several countries in the Middle East including Israel, UAE, Qatar, Bahrain, Kuwait and Lebanon, while also similar activity occurred against Cyprus. The attack infrastructure we track combines specific commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and virtual private servers (VPS), and is assessed to be employed by multiple Iran-nexus actors. Scanning activity we observed targets cameras such as Hikvision and Dahua and aligns with attempts to identify exposure to the vulnerabilities listed below. No attempts to interact with other camera vendors were observed from this infrastructure. The popular devices of Hikvision and Dahua are targeted with the following vulnerabilities: CVE Vulnerability CVE-2017-7921 An improper authentication vulnerability in Hikvision IP camera firmware CVE-2021-36260 A command injection vulnerability in the Hikvision web server component CVE-2023-6895 An OS command injection vulnerability in Hikvision Intercom Broadcasting System CVE-2025-34067 An unauthenticated remote code execution vulnerability in Hikvision Integrated Security...