A surge in attempts to compromise internet-connected surveillance cameras across the Middle East has been identified during the ongoing regional conflict, with activity attributed to infrastructure linked to Iranian threat actors.
The targeting, which began intensifying on February 28, has affected Israel, Qatar, Bahrain, Kuwait, the UAE and Cyprus, with additional focused activity observed in parts of Lebanon on March 1.
The findings, released by Check Point Research (CPR), point to a coordinated campaign against devices manufactured by Hikvision and Dahua.
The researchers said the pattern of activity aligns with Iran’s established military doctrine of using compromised cameras to support operational planning and battle damage assessment following missile strikes.
Activity Tied To Regional Escalation
According to CPR, the spike in exploitation attempts coincided with key geopolitical developments. Earlier, more targeted scanning was recorded on January 14–15, around the time Iran temporarily closed its airspace amid expectations of a possible US strike.
Subsequent waves of activity aligned with other high-profile events, including:
-
January 24 – A visit to Israel by the US Central Command commander during heightened tensions
-
Early February – Public warnings from Iranian leadership that a US strike could spark wider regional conflict
Read more on cyber operations in interstate conflicts: Expect Iran to Launch Cyber-Attacks Globally, Warns Google Head of Threat Intel
The infrastructure used in the campaign combines commercial VPN exit nodes, including Mullvad, ProtonVPN, Surfshark and NordVPN, along with virtual private servers assessed to be operated by multiple Iran-linked threat actors.
Specific Vulnerabilities Exploited
The campaign observed by CPR focused exclusively on Hikvision and Dahua products. Researchers observed scanning for known vulnerabilities, including authentication bypass and remote code execution (RCE) flaws. Patches are available for all identified issues.
Check Point examined exploitation attempts involving CVE-2021-33044 and CVE-2017-7921, traced to infrastructure attributed to Iran and active since the start of the year.
The researchers noted similar tactics during the 12-day conflict between Israel and Iran in June 2025. In one widely reported incident, a street camera facing the Weizmann Institute of Science was allegedly compromised shortly before a ballistic missile struck the site.
The report concluded that monitoring camera-targeting activity from known Iranian-linked infrastructure may offer early warning of potential follow-on kinetic operations.
To help mitigate these risks, defenders should eliminate public exposure by removing WAN access and using a VPN, while enforcing strong credentials and keeping firmware up-to-date.
Additionally, they should implement network segmentation for cameras on a dedicated VLAN and monitor for unusual login attempts and outbound connections.
