Threats

Iranian Threat Actors Intensify IP Camera Exploitation Across Six Countries to Support Missile Operations and Battle Damage Assessment

Zero Day Wire

3 min read
Iranian Threat Actors Intensify IP Camera Exploitation Across Six Countries to Support Missile Operations and Battle Damage Assessment

Check Point Research has disclosed that multiple Iran-nexus threat actors have intensified exploitation of IP cameras across six countries in the Middle East and Eastern Mediterranean since the onset of hostilities — activity assessed to support battle damage assessment (BDA) and target correction for Iranian missile operations.

The targeting, which spiked sharply beginning February 28, focuses exclusively on Hikvision and Dahua cameras across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus — countries that have also experienced significant missile activity linked to Iran.

The findings reinforce a pattern first observed during the 12-day Israel-Iran conflict in June 2025, where compromised cameras were used to assess strike damage in real time. In one documented case, Iran reportedly took control of a street camera facing Israel's Weizmann Institute of Science just prior to striking the building with a ballistic missile.

Camera Exploitation as a Military Doctrine

Check Point assesses that camera compromise has become an embedded component of Iran's operational doctrine — not an opportunistic cybercrime activity but a systematic capability tied to kinetic military operations. Tracking camera-targeting activity from attributed Iranian infrastructure may serve as an early indicator of follow-on missile strikes.

The attack infrastructure combines commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) with virtual private servers, and is assessed to be employed by multiple Iran-nexus actors operating in parallel.

Targeted Vulnerabilities

All scanning activity targets Hikvision and Dahua devices exclusively, exploiting five known vulnerabilities:

  • CVE-2017-7921 — improper authentication in Hikvision IP camera firmware
  • CVE-2021-36260 — command injection in Hikvision web server component
  • CVE-2023-6895 — OS command injection in Hikvision Intercom Broadcasting System
  • CVE-2025-34067 — unauthenticated RCE in Hikvision Integrated Security Management Platform
  • CVE-2021-33044 — authentication bypass in multiple Dahua products

Patches are available for all five vulnerabilities. No exploitation attempts against other camera vendors were observed from this infrastructure.

Activity Correlated With Geopolitical Events

Check Point's deep-dive analysis of exploitation attempts since January 2026 reveals activity waves tightly aligned with escalating tensions:

January 14–15 — Scanning spikes against cameras in Israel and Qatar coincided with Iran's temporary airspace closure amid expectations of a potential US strike. Anti-regime protests in Iran peaked simultaneously, with Iranian officials portraying unrest as foreign-backed.

January 24 — Activity spike aligned with the US CENTCOM commander's visit to Israel and meetings with IDF leadership.

Early February — Sustained scanning as Iran's leadership grew increasingly concerned about a possible US strike, with IRGC-linked messaging warning that a strike could trigger wider regional war.

February 28 onward — Dramatic escalation across all six target countries coinciding with the onset of hostilities. On March 1, additional camera-targeting activity focused specifically on areas in Lebanon.

Six-Country Target Spread

The geographic scope of camera targeting mirrors the countries experiencing Iranian missile activity:

  • Israel — primary target with highest volume
  • United Arab Emirates — targeted alongside the physical drone strikes on AWS data centers
  • Qatar — sustained scanning waves
  • Bahrain — targeted in parallel with UAE activity
  • Kuwait — included in Gulf-wide scanning
  • Cyprus — targeted despite geographic distance, likely due to strategic military significance
  • Lebanon — focused targeting beginning March 1

Defender Recommendations

  • Remove public internet exposure immediately — take cameras and NVRs off WAN access; place behind VPN or zero-trust access gateway and block inbound port forwards
  • Patch all five CVEs — updates from Hikvision and Dahua are available; replace end-of-life devices that no longer receive security fixes
  • Enforce strong credentials — change all default passwords and enforce unique credentials per device
  • Network segmentation — isolate cameras on a dedicated VLAN with no lateral access to corporate or OT networks; restrict outbound traffic to required update and cloud endpoints only
  • Monitor for compromise indicators — watch for repeated login failures, unexpected remote logins, and cameras initiating unusual outbound connections
  • Treat camera exploitation as a threat indicator — organizations in affected regions should consider intensified camera scanning as a potential precursor to kinetic activity

Read more