Iranian cyber groups have launched hundreds of hacking attempts against Hikvision and Dahua IP cameras in Israel and neighboring countries, using VPN infrastructure and exploiting known vulnerabilities as potential reconnaissance for kinetic operations.
Iranian hackers have launched hundreds of attacks against internet-connected surveillance cameras across the Middle East since the recent military escalation began, according to security researchers who warn this digital reconnaissance could precede physical strikes.
Camera targeting reveals Iranian cyber tactics
The attacks, tracked by Check Point Research, have specifically targeted IP cameras manufactured by Hikvision and Dahua in Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon. These are the same countries that have experienced significant missile activity linked to Iran.
According to Sergey Shykevich, threat intelligence group manager at Check Point Research, the attack infrastructure has been attributed to "several Iran-nexus threat actors" who combined commercial VPN exit nodes - including Mullvad, ProtonVPN, Surfshark, and NordVPN - with virtual private servers to scan for vulnerabilities.
Known vulnerabilities exploited
The hackers exploited multiple security flaws in the targeted camera systems:
- CVE-2017-7921: Improper authentication vulnerability in Hikvision IP camera firmware
- CVE-2021-36260: Command injection vulnerability in Hikvision web server component
- CVE-2023-6895: OS command injection vulnerability in Hikvision Intercom Broadcasting System
- CVE-2025-34067: Unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform
- CVE-2021-33044: Authentication bypass vulnerability in multiple Dahua products
All of these vulnerabilities have available patches, but many organizations have not updated their camera firmware and software.
Historical context of camera-based reconnaissance
This targeting follows a pattern established by Iranian cyber operations. In June 2025, threat groups linked to Iran's Ministry of Intelligence and Security compromised servers containing live CCTV streams from Jerusalem, allowing surveillance of the city for potential targets just days before launching missile attacks.
During the 12-day war between Israel and Iran in June 2025, Check Point observed similar targeting likely to support battle damage assessment. In one notable case, Iran hit Israel's Weizmann Institute of Science with a ballistic missile shortly after reportedly compromising a street camera facing the building.
Potential for kinetic follow-on attacks
The current camera-targeting activity may be an "early indicator of potential follow-on kinetic activity," according to Check Point researchers. The security shop noted that Iran traditionally uses digital reconnaissance - including compromised cameras - to prepare for physical attacks.
This pattern aligns with observations from Amazon's security leadership, who have noted that hostile countries use cyber targeting for physical military strikes. The targeting of critical infrastructure through cyber means has become an established precursor to kinetic operations in modern conflict.
Defense recommendations
Check Point researchers urged defenders to:
- Update camera firmware and software to the latest patched versions
- Remove direct WAN access so cameras aren't exposed to the public internet
- Isolate cameras on a dedicated VLAN with no lateral access to corporate or operational technology networks
- Monitor for repeated login failures or unexpected remote logins
Broader regional cyber conflict
While Check Point hasn't observed attacks against US targets yet, researchers assess that targeting could expand in the upcoming days or weeks. All of Iran's cyber activity to date during this military conflict has targeted Israel and other Persian Gulf countries.
The bulk of Iranian cyber operations have involved disinformation attempts, cyberespionage, and distributed denial of service attacks by Iran's many hacktivist crews. While some government-linked hacktivists possess capabilities for destructive cyberattacks, their intrusions are typically more for show and Telegram video bragging rights, with attackers exaggerating their success.
Adding to the complexity, Palo Alto Networks' Unit 42 threat intel team has tracked an uptick in pro-Russian hacktivists over the past week. According to senior manager Justin Moore, this is "effectively expanding the Middle East's attack surface, and potentially exposing regional infrastructure to high-disruption tactics historically used by these groups against NATO and European interests."
The convergence of Iranian state-linked operations and opportunistic pro-Russian hacktivist activity creates a more volatile cyber environment across the Middle East, with the potential for both targeted reconnaissance and widespread disruptive attacks.
Comments
Please log in or register to join the discussion