Researchers Warn of Iranian Campaign Targeting Security Cameras Across the Middle East

CyberDefender 10 mins0

Modern warfare is increasingly defined by the integration of cyber capabilities with traditional military operations. Rather than functioning as isolated domains, cyber and kinetic operations now complement each other, enabling intelligence collection, real-time situational awareness, and operational coordination.

Recent research from Check Point Research highlights an emerging example of this convergence: the systematic targeting of internet-connected surveillance cameras across the Middle East by infrastructure attributed to Iranian threat actors. The activity suggests that compromised IP cameras may be leveraged not only for intelligence gathering but also for operational support during missile attacks and conflict escalation.

The campaign demonstrates how relatively mundane Internet of Things (IoT) devices—specifically network-connected surveillance cameras—can become strategic assets in modern conflict.

Background: Cyber Operations as Force Multipliers

Cyber operations have increasingly become embedded within interstate conflicts. Instead of being limited to espionage or disruption, cyber capabilities are now frequently used to support battlefield activities such as:

  • reconnaissance and surveillance
  • targeting intelligence
  • battle damage assessment (BDA)
  • target correction during strikes

During the 12-day conflict between Israel and Iran in June 2025, researchers observed indications that compromised cameras were potentially used to assist missile strike analysis and damage assessment.

This operational model reflects a broader military trend: the integration of cyber reconnaissance with kinetic operations, where digital infiltration provides real-time visibility into physical targets.

The IP Camera Targeting Campaign

Geographic Scope

Beginning February 28, 2026, researchers observed a significant surge in attempts to compromise IP cameras across several countries in the Middle East.

The affected regions include:

  • Israel
  • United Arab Emirates
  • Qatar
  • Bahrain
  • Kuwait
  • Lebanon
  • Cyprus

These regions notably coincide with areas experiencing heightened geopolitical tensions and missile activity linked to Iran.

The geographical distribution strongly suggests a strategic reconnaissance effort rather than random opportunistic scanning.

Infrastructure and Attribution

The activity originates from infrastructure believed to be associated with Iran-nexus threat actors.

The attack infrastructure shows several notable characteristics:

  1. Commercial VPN exit nodes
  2. Virtual Private Servers (VPS)
  3. Multi-actor usage across several coordinated campaigns

Researchers identified VPN providers frequently used as exit nodes in the attack infrastructure, including:

  • Mullvad
  • ProtonVPN
  • Surfshark
  • NordVPN

This setup helps obscure attribution while enabling geographically distributed scanning activity.

Targeted Devices and Vulnerabilities

The attackers primarily focused on surveillance cameras manufactured by:

  • Hikvision
  • Dahua

These brands dominate the global CCTV and smart surveillance markets, making them attractive targets due to their wide deployment.

The campaign leveraged several known vulnerabilities in these devices, including:

CVEDescription
CVE-2017-7921Improper authentication vulnerability in Hikvision firmware
CVE-2021-36260Command injection vulnerability in Hikvision web server
CVE-2023-6895OS command injection in Hikvision broadcasting system
CVE-2025-34067Unauthenticated remote code execution vulnerability
CVE-2021-33044Authentication bypass vulnerability in Dahua products

All of these vulnerabilities already have security patches available.

The focus on specific camera models rather than broad IoT scanning suggests targeted reconnaissance rather than automated botnet creation.

Operational Patterns and Geopolitical Timing

One of the most revealing aspects of the campaign is its correlation with geopolitical events.

Researchers observed multiple spikes in camera-scanning activity aligned with political and military developments:

January 14–15

  • Occurred during peak anti-regime protests in Iran.
  • Iranian authorities temporarily closed national airspace due to fears of a potential U.S. strike.
  • Concurrent spikes in camera scanning were observed.

January 24

  • The commander of U.S. Central Command visited Israel amid escalating tensions.

Early February

  • Iranian leadership publicly warned that a potential U.S. strike could trigger regional escalation.

These correlations suggest that the scanning activity may serve as pre-conflict reconnaissance or preparation for military operations.

Cameras as Battlefield Sensors

Compromised IP cameras offer several tactical advantages to attackers involved in kinetic operations.

1. Real-Time Surveillance

Cameras provide immediate visibility into a target area without requiring physical presence.

Potential intelligence includes:

  • military installations
  • critical infrastructure
  • urban environments
  • transportation hubs

2. Battle Damage Assessment (BDA)

After a strike, attackers can observe:

  • the effectiveness of missile impacts
  • structural damage
  • emergency response activities

This allows rapid targeting correction for subsequent strikes.

3. Pre-Strike Intelligence

In some cases, camera access may enable attackers to:

  • verify target locations
  • assess civilian or military presence
  • monitor defensive preparations

Real-World Example

One notable case involved a ballistic missile strike on Israel’s Weizmann Institute of Science, where reports suggested that attackers had compromised a nearby street camera facing the building shortly before the attack.

This incident illustrates how compromised surveillance infrastructure can provide direct targeting intelligence.

The Strategic Implications

The campaign highlights several emerging trends in modern cyber warfare.

1. Weaponization of IoT Devices

IoT devices are increasingly being used not only for botnets or espionage but also as military intelligence platforms.

2. Civilian Infrastructure as Intelligence Assets

Commercial security cameras deployed by:

  • businesses
  • municipalities
  • private homes

can inadvertently become surveillance tools for foreign military actors.

3. Cyber Activity as an Early Warning Signal

Researchers suggest that monitoring spikes in camera exploitation attempts could serve as an early indicator of potential kinetic operations.

Tracking activity from known threat infrastructures may therefore provide valuable strategic intelligence.

Defensive Measures

Organizations operating IP camera infrastructure should adopt several mitigation strategies.

Patch Management

Apply firmware updates for known vulnerabilities.

Network Segmentation

Place surveillance systems on isolated networks.

Access Control

Disable default credentials and enforce strong authentication.

Monitoring

Deploy network monitoring tools to detect:

  • unusual login attempts
  • scanning activity
  • abnormal outbound traffic

Conclusion

The targeting of IP cameras across the Middle East demonstrates the growing integration of cyber capabilities into modern warfare. What might once have been considered minor security weaknesses in IoT devices can now provide strategic intelligence during military conflicts.

The campaign attributed to Iranian threat actors illustrates how compromised surveillance devices can support reconnaissance, targeting verification, and post-strike assessment in kinetic operations.

As geopolitical conflicts continue to evolve, the line between cyber operations and physical warfare will increasingly blur. Organizations and governments must therefore treat IoT security not merely as an IT issue but as a component of national and regional security infrastructure.

CyberDefender