Full Report
Attack infrastructure attributed to 'several Iran-nexus threat actors' Multiple Iranian hacking crews have been targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28, according to Check Point security researchers. …
Analysis Summary
# Threat Actor: Iran-nexus Threat Actors (Multiple Crews)
## Attribution & Identity
- **Actor Identification:** Attributed to several Iran-nexus threat actors and hacktivist crews.
- **Affiliation:** Strongly linked to Iran’s Ministry of Intelligence and Security (MOIS).
- **Associated Groups:** Includes various Iranian state-sponsored "hacking crews" and "hacktivist" entities, as well as observed coordination/overlap with pro-Russian hacktivists.
## Activity Summary
- **Primary Campaign:** Large-scale exploitation of IP cameras following the outbreak of conflict on February 28, 2026.
- **Historical Context:** In June 2025, these actors compromised servers in Jerusalem to access live CCTV streams just days before missile strikes.
- **Battle Damage Assessment (BDA):** Recent activity indicates an ongoing effort to use digital surveillance to support physical kinetic operations and assess the impact of missile strikes (e.g., the hit on the Weizmann Institute of Science).
## Tactics, Techniques & Procedures
- **Vulnerability Research & Scanning:** Mass scanning for specific vulnerabilities in IoT/surveillance hardware.
- **Obfuscation:** Utilization of commercial VPN exit nodes to mask origin traffic.
- **Exploitation:** Leverages known security flaws (N-day vulnerabilities) in unpatched firmware.
- **Information Operations:** Hacktivist crews utilize Telegram for "video bragging rights" and to exaggerate the success of their intrusions for psychological impact.
- **MITRE ATT&CK IDs (Inferred):**
- **T1190:** Exploit Public-Facing Application
- **T1595.002:** Vulnerability Scanning
- **T1090.003:** Proxy: Multi-hop Proxy (VPN usage)
- **T1210:** Exploitation of Remote Services
## Targeting
- **Sectors:** Critical Infrastructure, Government, Scientific Research (e.g., Weizmann Institute of Science), and Public Surveillance (CCTV/IP Cameras).
- **Geography:** Israel, Qatar, Bahrain, Kuwait, UAE, Cyprus, and Lebanon.
- **Victims:** Owners of Hikvision and Dahua surveillance systems; Jerusalem city surveillance servers.
## Tools & Infrastructure
- **Targeted Hardware:**
- Hikvision IP Cameras and Intercom Systems
- Dahua IP Cameras
- **Vulnerabilities Exploited:**
- CVE-2017-7921 (Hikvision - Improper Authentication)
- CVE-2021-36260 (Hikvision - Command Injection)
- CVE-2023-6895 (Hikvision - OS Command Injection)
- CVE-2025-34067 (Hikvision - Unauthenticated RCE)
- CVE-2021-33044 (Dahua - Authentication Bypass)
- **Infrastructure:**
- **VPN Services:** Mullvad, ProtonVPN, Surfshark, and NordVPN.
- **VPS:** Various Virtual Private Servers used for scanning and C2.
- **Example Domain (Defanged):** hxxps[://]research[.]checkpoint[.]com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/
## Implications
- **Kinetic Integration:** Cyber operations are being used as a direct precursor or "early indicator" of physical missile attacks.
- **Surveillance-as-a-Weapon:** Compromised cameras provide real-time intelligence for targeting and post-strike damage assessment.
- **Regional Expansion:** While currently focused on the Middle East, there is a High confidence assessment that targeting may expand to Western/US interests as the conflict evolves.
## Mitigations
- **Patch Management:** Immediately update Hikvision and Dahua camera firmware to the latest versions to remediate the CVEs listed above.
- **Network Segmentation:** Isolate IP cameras on a dedicated VLAN with strictly controlled access; ensure no lateral movement is possible to OT or corporate networks.
- **Exposure Reduction:** Remove direct WAN access; cameras should not be exposed to the public internet. Use VPNs or secure gateways for remote management.
- **Identity & Access Management:** Implement strong authentication and monitor for repeated login failures or unauthorized remote access attempts.