Multiple Iranian hacking crews have been targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28, according to Check Point security researchers.
The Tel Aviv-based security shop has tracked "hundreds" of attempts to exploit a handful of bugs in IP cameras made by two manufacturers, Hikvision and Dahua, according to Sergey Shykevich, threat intelligence group manager at Check Point Research, in a conversation with El Reg.
The countries targeted in these digital intrusion attempts - Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon - are the same ones that have seen significant missile activity linked to Iran.
Iran traditionally uses digital reconnaissance - including compromised cameras - to prepare for physical attacks. As recently as June 2025, threat groups linked to Iran's Ministry of Intelligence and Security (MOIS) compromised servers containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, just days before launching missile attacks against Jerusalem.
This more recent camera-targeting activity from infrastructure attributed to "several Iran-nexus threat actors" may be an "early indicator of potential follow-on kinetic activity," Check Point researchers said in a Wednesday threat intelligence report.
According to the security shop, the attack infrastructure combined commercial VPN exit nodes - including Mullvad, ProtonVPN, Surfshark, and NordVPN - and virtual private servers, which the Iranians used to scan for vulnerabilities in two specific surveillance camera brands: Hikvision and Dahua.
"No attempts to interact with other camera vendors were observed from this infrastructure," the researchers wrote.
The vulnerabilities include:
All of these security flaws have patches.
Check Point reports it tracked similar targeting during the 12-day war between Israel and Iran in June 2025, likely to support battle damage assessment. In one such case, Iran hit Israel's Weizmann Institute of Science with a ballistic missile shortly after reportedly compromising a street camera facing the building.
The threat hunters urged defenders to update camera firmware and software to the latest patched versions, and remove direct WAN access so cameras aren't exposed to the public internet. They also suggested isolating cameras on a dedicated VLAN with no lateral access to corporate or operational technology networks, and monitoring for repeated login failures or unexpected remote logins.
Shykevich told us Check Point hasn't yet observed any attacks or attempts against US targets, but "we assess it can expand in the upcoming days or weeks."
All of Iran's cyber activity to date during this military conflict has targeted Israel and other Persian Gulf countries, with the bulk of it being disinformation attempts, cyberespionage, and distributed denial of service attempts by Iran's many hacktivist crews. While some of these government-linked hacktivists do have the capabilities to launch destructive cyberattacks, their intrusions are typically more for show and Telegram video bragging rights, with attackers exaggerating their success.
In addition to Iranian hacktivist groups, Palo Alto Networks' Unit 42 threat intel team has tracked an uptick in pro-Russian hacktivists over the past week, senior manager Justin Moore told The Register.
This, he said, is "effectively expanding the Middle East's attack surface, and potentially exposing regional infrastructure to high-disruption tactics historically used by these groups against NATO and European interests." ®
Source: The register