Surge in Compromise Attempts of Surveillance Cameras Amid Regional Conflict
A notable increase in attempts to compromise internet-connected surveillance cameras has been reported across the Middle East, coinciding with the intensifying regional conflict. These malicious activities are believed to be the work of threat actors linked to Iranian infrastructure. This alarming trend surfaced prominently starting February 28, impacting countries such as Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus. Further investigations on March 1 revealed targeted activities extending into specific areas of Lebanon.
The insights detailing these cybersecurity threats were released by Check Point Research (CPR), showcasing a coordinated campaign primarily aimed at devices manufactured by Hikvision and Dahua. The researchers suggested this operational strategy aligns seamlessly with Iran’s military doctrine, which favors the use of compromised surveillance cameras for strategic operational planning and assessing damage following missile strikes.
Activity Correlated with Geopolitical Developments
According to the findings from CPR, the uptick in exploitation attempts reflects critical geopolitical developments in the region. Just prior to this surge, targeted scanning activities were notably increased on January 14 and 15, coinciding with Iran’s temporary closure of its airspace amid rising concerns over a potential U.S. military strike.
Further waves of cyber activity were traced to other significant events, including the following:
- On January 24, the commander of the U.S. Central Command visited Israel amidst escalating tensions.
- During early February, Iranian leadership issued public warnings indicating that any U.S. military strike could escalate the situation into a broader regional conflict.
These developments suggest a calculated attempt to leverage surveillance technologies for strategic military operations, underscoring the interplay between cyber espionage and physical military engagements.
Infrastructure and Tactics Behind the Campaign
CPR’s report elucidated the infrastructure utilized in this campaign, identifying a combination of commercial VPN exit nodes such as Mullvad, ProtonVPN, Surfshark, and NordVPN. Additionally, the campaign is believed to employ virtual private servers affiliated with various Iranian-linked threat actors. This sophisticated use of technology highlights the advanced methodologies employed by these actors.
The direct targets of this campaign have been Hikvision and Dahua products, with researchers documenting scanning for specific vulnerabilities. Among these vulnerabilities are authentication bypass flaws and remote code execution (RCE) weaknesses. Notably, patches for these vulnerabilities are readily available, yet successful exploitation attempts have persisted.
CPR examined exploitation attempts that involved vulnerabilities cataloged as CVE-2021-33044 and CVE-2017-7921, which were traced back to Iranian-linked infrastructure and have been active since the beginning of the year. This level of persistent activity raises concerns about the willingness and capability of these actors to exploit known weaknesses.
Historical Precedent and Future Implications
The tactics currently observed mirror those employed during the brief but intense conflict between Israel and Iran in June 2025. A particularly striking incident involved the compromise of a street camera positioned near the Weizmann Institute of Science, which occurred shortly before a ballistic missile struck the site. Such historical precedents suggest that the targeting of surveillance cameras could potentially serve as a precursor to more severe military actions.
In conclusion, the report from Check Point Research indicates that monitoring camera-targeting activities from known Iranian-linked infrastructure could serve as an early warning system for potential kinetic operations. To counter these evolving threats, security defenders are encouraged to take proactive measures. This includes removing public access to devices by eliminating WAN exposure, utilizing VPNs, enforcing robust credential policies, and maintaining updated firmware.
Moreover, implementing network segmentation for surveillance cameras on a dedicated VLAN and monitoring for unusual login attempts and outbound connections can enhance security measures. As cyber threats continue to evolve alongside geopolitical tensions, vigilance and proactive cybersecurity strategies will be paramount in safeguarding sensitive surveillance technologies within the region.