Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East

INTERPLAY BETWEEN IRANIAN TARGETING OF IP CAMERAS AND PHYSICAL WARFARE IN THE MIDDLE EAST March 4, 2026 Key Findings During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors. The targeting extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus – countries that have also experienced significant missile activity linked to Iran. On March 1st, we additionally observed camera-targeting activity focused on specific areas in Lebanon. We also observed earlier, more targeted activity against cameras in Israel and Qatar on January 14–15. These dates surround with Iran’s temporary closure of its airspace, reportedly amid expectations of a potential U.S. strike. Taken together, these findings are consistent with the assessment that Iran, as part of its doctrine, leverages camera compromise for operational support and ongoing battle damage assessment (BDA) for missile operations, potentially in some cases prior to missile launches. As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity. Introduction As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts. In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus. This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors. Notably, we also identified earlier activity exhibiting similar patterns, dated January 14, coinciding with the peak of anti-regime protests in Iran, a period during which Iran anticipated potential action from the United States and Israel and temporarily closed its airspace. Findings Check Point Research (CPR) continuously tracks infrastructure used by Iran-nexus threat actors. Starting February 28, we observed a spike in targeting of IP cameras in several countries in the Middle East including Israel, UAE, Qatar, Bahrain, Kuwait and Lebanon, while also similar activity occurred against Cyprus. The attack infrastructure we track combines specific commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and virtual private servers (VPS), and is assessed to be employed by multiple Iran-nexus actors. Scanning activity we observed targets cameras such as Hikvision and Dahua and aligns with attempts to identify exposure to the vulnerabilities listed below. No attempts to interact with other camera vendors were observed from this infrastructure. The popular devices of Hikvision and Dahua are targeted with the following vulnerabilities: CVE Vulnerability CVE-2017-7921 An improper authentication vulnerability in Hikvision IP camera firmware CVE-2021-36260 A command injection vulnerability in the Hikvision web server component CVE-2023-6895 An OS command injection vulnerability in Hikvision Intercom Broadcasting System CVE-2025-34067 An unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform CVE-2021-33044 An authentication bypass vulnerability in multiple Dahua products Patches are available for all of the vulnerabilities listed above. As a case study, we conducted a deep dive into two of the CVEs listed above – CVE-2021-33044 and CVE-2017-7921 – and examined exploitation attempts originating from operational infrastructure we attribute to Iran, observed since the beginning of the year. Waves of activity against Israel: The spikes in this activity are closely aligned with geopolitical events around the same time: January 14-15 – While internal anti-regime protests in Iran peaked, Iranian officials and state media portrayed the unrest as a foreign-backed plot by Iran’s adversaries, including the United States and Israel and also closed its airspace. At the same time we also observe a wave of scans of cameras in the Iraqi Kurdistan. January 24 – The U.S. Central Command (CENTCOM) commander visited Israel and met with the Israel Defense Forces’ chief of staff amid heightened tensions. Beginning of February – Iran’s leadership was increasingly worried about a possible U.S. strike; Iranian/IRGC-linked messaging warned a strike could trigger a wider regional war. Waves of activity against Qatar: Waves of activity against Bahrain: Waves of activity against Kuwait: Waves of activity against United Arab Emirates: Waves of activity against Cyprus: Waves of activity against Lebanon: We observed similar targeting patterns during the 12-day war between Israel and Iran in June 2025, likely to support battle damage assessment (BDA) and/or targeting correction. One of the best-known cases occurred when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile and had reportedly taken control of a street camera facing the building just prior to the hit Recommendations for Defenders: Eliminate public exposure: remove direct WAN access to cameras/NVRs; place them behind VPN or a zero-trust access gateway; block inbound port-forwards. Enforce strong credentials: change default passwords, enforce unique credentials. Patch management: keep cameras/NVR firmware and management software updated – updates from the manufacturers are available; remove/replace end-of-life devices that no longer get security fixes. Network segmentation: isolate cameras on a dedicated VLAN with no lateral access to corporate/OT networks; tightly control outbound traffic (only to required update/cloud endpoints). Monitoring & detection: repeated login failures, unexpected remote logins; cameras initiating unusual outbound connections. GO UP BACK TO ALL POSTS POPULAR POSTS ARTIFICIAL INTELLIGENCE CHATGPT CHECK POINT RESEARCH PUBLICATIONS OPWNAI : Cybercriminals Starting to Use ChatGPT CHECK POINT RESEARCH PUBLICATIONS THREAT RESEARCH Hacking Fortnite Accounts ARTIFICIAL INTELLIGENCE CHATGPT CHECK POINT RESEARCH PUBLICATIONS OpwnAI: AI That Can Save the Day or HACK it Away BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS August 11, 2017 “THE NEXT WANNACRY” VULNERABILITY IS HERE CHECK POINT RESEARCH PUBLICATIONS March 12, 2026 “HANDALA HACK” – UNVEILING GROUP’S MODUS OPERANDI CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS August 11, 2017 “THE NEXT WANNACRY” VULNERABILITY IS HERE CHECK POINT RESEARCH PUBLICATIONS March 12, 2026 “HANDALA HACK” – UNVEILING GROUP’S MODUS OPERANDI CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS August 11, 2017 “THE NEXT WANNACRY” VULNERABILITY IS HERE 123 This website uses cookies in order to optimize your user experience as well as for advertising and analytics.  For further information, please read our Privacy Policy and ourCookie Notice. 404 Not Found nginx When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices