Escalating Cyber Threats: IP Cameras in the Middle East Under Siege Amid Regional Tensions
In the volatile landscape of the Middle East, cyber warfare has taken a new and alarming turn. Since late February 2026, Iranian-linked threat actors have launched a coordinated campaign targeting internet-connected IP cameras across multiple countries in the region. This surge in cyberattacks underscores the growing integration of digital operations into physical military strategies, raising significant concerns about national security and privacy.
The Onset of the Campaign
The campaign was first detected on February 28, 2026, marked by a sharp increase in exploitation attempts aimed at IP cameras in Israel, the United Arab Emirates, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. These attacks originated from infrastructure associated with Iranian threat actors, who utilized commercial VPN services—such as Mullvad, ProtonVPN, Surfshark, and NordVPN—and virtual private servers to obscure their true locations.
This pattern of cyber aggression is not isolated. Earlier activity was recorded on January 14–15, coinciding with Iran’s temporary closure of its airspace amid fears of a potential U.S. military strike. Analysts from Check Point Research have observed that spikes in camera exploitation consistently align with major geopolitical events, suggesting a deliberate strategy to leverage cyber capabilities in tandem with physical operations.
Strategic Targeting of Surveillance Infrastructure
The primary focus of these cyberattacks has been on devices manufactured by Hikvision and Dahua, two of the most widely deployed camera brands globally. These cameras are commonly installed in public areas, critical infrastructure sites, and commercial buildings, making them valuable targets for actors seeking real-time visual intelligence. Notably, no exploitation attempts from this infrastructure were directed at cameras from other manufacturers, indicating a calculated approach to target specific devices.
The implications of this campaign extend beyond traditional cyber espionage. During the 12-day conflict between Israel and Iran in June 2025, compromised cameras were likely used to support battle damage assessments and target corrections. A particularly concerning incident involved Iran’s missile strike on Israel’s Weizmann Institute of Science, where Iranian actors reportedly took control of a street-facing camera near the building just before the missile hit. This suggests that camera compromise is being utilized as a direct operational tool in kinetic warfare.
Exploitation of Known Vulnerabilities
The attackers have been exploiting several known vulnerabilities in Hikvision and Dahua devices:
– CVE-2017-7921: An improper authentication flaw in Hikvision camera firmware.
– CVE-2021-36260: A command injection vulnerability in Hikvision’s web server component.
– CVE-2023-6895: An OS command injection flaw in the Hikvision Intercom Broadcasting System.
– CVE-2025-34067: An unauthenticated remote code execution vulnerability in Hikvision’s Integrated Security Management Platform.
– CVE-2021-33044: An authentication bypass affecting multiple Dahua products.
While patches are available from the manufacturers for all these vulnerabilities, many devices remain unpatched and directly accessible from the internet, providing easy entry points for attackers.
Broader Context of IoT Device Exploitation
This campaign is part of a broader trend of exploiting vulnerabilities in Internet of Things (IoT) devices. For instance, the Murdoc Botnet has been actively exploiting vulnerabilities in AVTECH IP cameras and Huawei HG532 routers since July 2024, compromising over 1,300 devices worldwide. The botnet leverages critical vulnerabilities, such as CVE-2024-7029, an unpatchable command injection flaw affecting end-of-life AVTECH IP cameras, and CVE-2017-17215, a remote code execution flaw in Huawei routers. Once a device is compromised, attackers deploy malicious payloads to maintain control and propagate the botnet.
Similarly, the HiatusRAT malware has been targeting web cameras and digital video recorders (DVRs) since July 2022. This Remote Access Trojan (RAT) allows cybercriminals to take control of targeted devices remotely. In March 2024, HiatusRAT actors launched a widespread scanning campaign targeting IoT devices across the United States, Australia, Canada, New Zealand, and the United Kingdom. The attackers exploit various vulnerabilities, including CVE-2017-7921, an improper authentication vulnerability affecting various Hikvision camera models, and CVE-2018-9995, a flaw in multiple DVR brands allowing remote attackers to bypass authentication.
Mitigation Strategies
To mitigate the risks posed by these cyber threats, organizations and individuals are advised to:
1. Regularly Update Firmware: Ensure that all devices and firmware are updated with the latest security patches to protect against known vulnerabilities.
2. Change Default Credentials: Replace default usernames and passwords with strong, unique credentials to prevent unauthorized access.
3. Implement Network Segmentation: Isolate IoT devices from critical network infrastructure to limit potential damage in case of a compromise.
4. Monitor Network Traffic: Utilize security monitoring tools to detect abnormal network activity that may indicate a compromise.
5. Disable Unnecessary Services: Turn off services and features that are not in use to reduce the attack surface.
6. Conduct Regular Security Audits: Perform periodic assessments to identify and remediate vulnerabilities within the network.
As cyber threats continue to evolve, staying vigilant and implementing robust security measures are crucial for protecting sensitive information and maintaining the integrity of network infrastructure.
