Posted on 03/05/2026 4:06:15 PM PST by nickcarraway
Attack infrastructure attributed to 'several Iran-nexus threat actors'
Multiple Iranian hacking crews have been targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28, according to Check Point security researchers.
The Tel Aviv-based security shop has tracked "hundreds" of attempts to exploit a handful of bugs in IP cameras made by two manufacturers, Hikvision and Dahua, according to Sergey Shykevich, threat intelligence group manager at Check Point Research, in a conversation with El Reg.
The countries targeted in these digital intrusion attempts - Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon - are the same ones that have seen significant missile activity linked to Iran.
Iran traditionally uses digital reconnaissance - including compromised cameras - to prepare for physical attacks. As recently as June 2025, threat groups linked to Iran's Ministry of Intelligence and Security (MOIS) compromised servers containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, just days before launching missile attacks against Jerusalem.
This more recent camera-targeting activity from infrastructure attributed to "several Iran-nexus threat actors" may be an "early indicator of potential follow-on kinetic activity," Check Point researchers said in a Wednesday threat intelligence report.
According to the security shop, the attack infrastructure combined commercial VPN exit nodes - including Mullvad, ProtonVPN, Surfshark, and NordVPN - and virtual private servers, which the Iranians used to scan for vulnerabilities in two specific surveillance camera brands: Hikvision and Dahua.
"No attempts to interact with other camera vendors were observed from this infrastructure," the researchers wrote.
The vulnerabilities include:
An improper authentication vulnerability in Hikvision IP camera firmware (CVE-2017-7921)
A command injection vulnerability in the Hikvision web server component (CVE-2021-36260)
An OS command injection vulnerability in Hikvision Intercom Broadcasting System (CVE-2023-6895)
An unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform (CVE-2025-34067)
An authentication bypass vulnerability in multiple Dahua products (CVE-2021-33044)
All of these security flaws have patches.
Check Point reports it tracked similar targeting during the 12-day war between Israel and Iran in June 2025, likely to support battle damage assessment. In one such case, Iran hit Israel's Weizmann Institute of Science with a ballistic missile shortly after reportedly compromising a street camera facing the building.
The threat hunters urged defenders to update camera firmware and software to the latest patched versions, and remove direct WAN access so cameras aren't exposed to the public internet. They also suggested isolating cameras on a dedicated VLAN with no lateral access to corporate or operational technology networks, and monitoring for repeated login failures or unexpected remote logins.
Shykevich told us Check Point hasn't yet observed any attacks or attempts against US targets, but "we assess it can expand in the upcoming days or weeks."
All of Iran's cyber activity to date during this military conflict has targeted Israel and other Persian Gulf countries, with the bulk of it being disinformation attempts, cyberespionage, and distributed denial of service attempts by Iran's many hacktivist crews. While some of these government-linked hacktivists do have the capabilities to launch destructive cyberattacks, their intrusions are typically more for show and Telegram video bragging rights, with attackers exaggerating their success.
In addition to Iranian hacktivist groups, Palo Alto Networks' Unit 42 threat intel team has tracked an uptick in pro-Russian hacktivists over the past week, senior manager Justin Moore told The Register.
This, he said, is "effectively expanding the Middle East's attack surface, and potentially exposing regional infrastructure to high-disruption tactics historically used by these groups against NATO and European interests." ®
Dear FRiends,
We need your continuing support to keep FR funded. Your donations are our sole source of funding. No sugar daddies, no advertisers, no paid memberships, no commercial sales, no gimmicks, no tax subsidies. No spam, no pop-ups, no ad trackers.
If you enjoy using FR and agree it's a worthwhile endeavor, please consider making a contribution today:
Click here: to donate by Credit Card
Or here: to donate by PayPal
Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794
Thank you very much and God bless you,
Jim
Maybe should not have revealed that Israel hacked Iran’s cameras?
Exactly. There is too much blabbing going on. In almost every dept
“…The Tel Aviv-based security shop has tracked “hundreds” of attempts to exploit a handful of bugs in IP cameras made by two manufacturers, Hikvision and Dahua…”
************************************************************
There are reasons why the US had these two Chicom companies under various sanctions and restrictions. If you deal with the Chinese for technological support…EXPECT SPYWARE OR AT LEAST SECURITY VULNERABILITIES.
Obviously not.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.