Iran's Cyber-Kinetic War Doctrine Takes Shape - Dark Reading

Informa TechTarget | SearchSecurity Cybersecurity Dive InformationWeek Channel Dive Explore our brands Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBERSECURITY OPERATIONS CYBERATTACKS & DATA BREACHES CYBER RISK NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Iran's Cyber-Kinetic War Doctrine Takes Shape Iran has been hacking IP cameras to plan missile strikes against its enemies, and mounting other attacks on physical assets, showing how cyber and kinetic warfare are fast becoming one and the same. Alexander Culafi,Senior News Writer,Dark Reading March 6, 2026 4 Min Read SOURCE: RONSTIK VIA ALAMY STOCK PHOTO Following the US and Israeli attack on Iran on Feb. 28, Iran has unified cyber and kinetic attacks into a single doctrine.  Check Point Research on March 4 published research identifying intensified targeting of IP cameras against two manufacturers, attributed to Iranian threat actors. The attacks began Feb. 28, the day US and Israel missile strikes began. Researchers said the activity "extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus — countries that have also experienced significant missile activity linked to Iran."  The hacking occurring before the US/Israel attacks (IP camera targeting of Israel and Qatar in mid-January, apparently expectations of a US strike) and after (IP camera targeting specific areas in Lebanon) led Check Point Research to assess that Iran leverages camera compromise for operational support and battle damage assessment as it relates to missile launches. "As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity," the research read. Related:Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks The actors are apparently targeting popular Hikvision and Dahua cameras with a number of authentication and command-related vulnerabilities. The bugs they use include CVE-2017-7921, CVE-2021-36260, and CVE-2023-6895, and CVE-2025-34067 for Hikivision; and CVE-2021-33044 in the case of Dahua. Patches for all vulnerabilities are available now.  Iran has a history of utilizing cameras to facilitate military action.  "We observed similar targeting patterns during the 12-day war between Israel and Iran in June 2025, likely to support battle damage assessment and/or targeting correction," according to Check Point. "One of the best-known cases occurred when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile and had reportedly taken control of a street camera facing the building just prior to the hit." Given the targeting of IP cameras last year and on an even wider basis now, Sergey Shykevich, threat intelligence group manager at Check Point Research, says the use of camera targeting to facilitate missile strikes "is part of Iranian war doctrine." Iran's Ongoing Cyber Activity It's worth noting this is not the only cyber activity Iran has conducted as part of its ongoing retaliation.  In an email, Flashpoint shared research with Dark Reading highlighting ongoing targeting of industrial control systems (ICS) in Israel and other countries; logistics sabotage (pro-Iranian actors reportedly breached the Jordan Silos and Supply General Company via phishing); and government entity targeting with distributed denial of service (DDoS) attacks in places like UAE and Bahrain. That's in addition to other activity Flashpoint has tracked in recent days, including ongoing propaganda campaigns and missile strikes against data centers. Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets Adam Meyers, CrowdStrike's senior vice president of counter-adversary operations, says that as Tehran focuses on its kinetic response, "CrowdStrike has observed muted IRGC-linked retaliatory cyberattacks, which are limited in scope." The company has, however, seen a surge in pro-Iranian Russian hacktivism, including attacks targeting ICS, SCADA systems, and CCTV networks belonging to US-based entities.  "The timing of these unverified claims, coinciding with Operation Epic Fury, suggests [Iran's allies] likely began prioritizing US entities as targets," Meyers writes. "Western organizations should continue to remain on high alert for potential cyber-response as the conflict continues, and activity may move beyond hacktivism and into destructive operations." Iran's Cyber-Kinetic Battlespace: Familiar, Yet Different Although the use of cyberattacks in kinetic warfare are far from new in their own right (look to Russia's relentless targeting of industrial infrastructure as part of its invasion of Ukraine), Iran's activity represents a near total blend of the two.  Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now Shykevich says that although there are several examples of the cyber-to-kinetic attack path during the Russia-Ukraine war, "it is not something very common, or at least not frequently publicly documented." Alexander Leslie, senior adviser at Recorded Future, tells Dark Reading that from a strategic standpoint, cyber remains one of Iran's most scalable military options, especially as conventional operations are constrained. "This is not a traditional linear conflict," Leslie says. "It is an integrated campaign in which kinetic operations, cyber effects, psychological operations, and economic coercion are sequenced. If you're looking for a single decisive battlefield moment, you'll miss the point. The strategy is to impose costs across domains, stretch air defenses, spike shipping and insurance risk, exploit cyber vulnerabilities, and flood the information environment so decisionmakers move before verification." Kathryn Raines, cyber threat intelligence team lead for the National Security Solutions team at Flashpoint, tells Dark Reading that there's no doubt in her mind that "what we're seeing in the Middle East right now isn't an anomaly — it's the new blueprint for modern warfare." She adds, "We are firmly in the era of hybrid tactics, where traditional boundaries have completely collapsed. Cyber operations offer a low-cost, high-impact way to shape the physical battlespace, not to mention there's an extremely low barrier to entry for hacktivists and other proxies wanting to get involved. "Things like hacking IP cameras for real-time battle-damage assessment or breaching a power grid to blind an adversary's air defenses just minutes before a missile barrage will become standard operating procedure." Read more about: DR Global Middle East & Africa About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Cybersecurity for Resource-Constrained Organizations More Webinars Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use Your Privacy Choices