Full Report
Key Findings Introduction As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support […] The post Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East appeared first on Check Point Research.
Analysis Summary
# Threat Actor: Iran-nexus Threat Actors
## Attribution & Identity
- **Identified Group:** Multiple Iran-nexus threat actors (unnamed specific APTs, but attributed to Iranian state interests).
- **Associations:** Likely tied to Iranian military or intelligence services (IRGC/MOIS) given the coordination with kinetic missile operations.
## Activity Summary
- **Primary Campaign:** Intensified targeting and exploitation of IP cameras in early 2026, specifically spiking on February 28 during regional conflict.
- **Historical Context:** Similar activity was observed January 14–15, 2026, coinciding with Iranian airspace closures and domestic anti-regime protests.
- **Operational Linkage:** Cyber operations are used to support "Battle Damage Assessment" (BDA) and target correction for physical missile strikes.
## Tactics, Techniques & Procedures
- **Vulnerability Research & Scanning:** Mass scanning for specific vulnerabilities in IP camera firmware.
- **Exploitation of Known Vulnerabilities:**
- **CVE-2017-7921:** Improper authentication in Hikvision IP cameras.
- **CVE-2021-36260:** Command injection in Hikvision devices.
- **Dahua Exploitation:** (Mentioned as a target, though specific CVE IDs for Dahua were truncated in the text).
- **Proxying & Anonymization:** Use of commercial VPN exit nodes to mask origin.
- **Battle Damage Assessment (BDA):** Leveraging compromised camera feeds to visualize the impact of kinetic strikes in real-time.
## Targeting
- **Sectors:** Critical Infrastructure, Public Surveillance, Residential/Commercial IP Cameras.
- **Geography:** Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus.
- **Victims:** Owners of Hikvision and Dahua IP camera systems within the aforementioned regions.
## Tools & Infrastructure
- **Hardware Targets:** Hikvision and Dahua IP cameras/NVRs.
- **VPN Providers:**
- Mullvad
- ProtonVPN
- Surfshark
- NordVPN
- **Computing Resources:** Various Virtual Private Servers (VPS).
- **Infrastructure (Defanged):**
- Commercial VPN exit nodes (Specific IPs not listed in text, but categorized by provider).
- URL: hxxps[://]research[.]checkpoint[.]com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/
## Implications
- **Kinetic-Cyber Convergence:** The targeting of cameras serves as a leading indicator of potential missile launches or military action.
- **Strategic Intelligence:** Iran utilizes the "Internet of Things" (IoT) as a distributed sensor network to verify the success of interstate military strikes.
- **Regional Threat:** Countries hosting U.S. interests or opposing Iranian regional policy are at heightened risk of surveillance via compromised IoT devices.
## Mitigations
- **Eliminate Public Exposure:** Remove direct WAN access to IP cameras and NVRs; place devices behind a VPN or Zero-Trust gateway.
- **Credential Hygiene:** Change all default passwords and enforce high-entropy, unique credentials.
- **Patch Management:** Immediately apply firmware updates for Hikvision and Dahua devices; decommission end-of-life (EoL) hardware.
- **Network Segmentation:** Isolate all IoT devices on a dedicated VLAN with restricted lateral movement to corporate or OT networks.
- **Monitoring:** Track for repeated login failures or unauthorized outbound connections from camera hardware to unusual external IPs.