‘Hundreds’ of Iranian hacking attempts have hit surveillance cameras since the missile strikes
Summary
Check Point Research says it has tracked “hundreds” of attempts by Iran‑nexus threat actors to exploit known vulnerabilities in Hikvision and Dahua IP cameras since the conflict began on 28 February. The scanning and exploitation attempts targeted devices across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus and Lebanon.
The attackers used commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS infrastructure to scan for and try to exploit several patched CVEs in Hikvision and Dahua products. Check Point notes these intrusions mirror previous campaigns used for reconnaissance ahead of kinetic strikes and warns the activity could precede further physical or cyber attacks.
Key Points
- Check Point observed “hundreds” of targeting attempts against Hikvision and Dahua IP cameras in multiple Middle Eastern countries since 28 February.
- Infrastructure attributed to “several Iran‑nexus threat actors” combined commercial VPNs and virtual private servers to scan and exploit devices.
- Vulnerabilities targeted include CVE‑2017‑7921, CVE‑2021‑36260, CVE‑2023‑6895, CVE‑2025‑34067 (Hikvision) and CVE‑2021‑33044 (Dahua) — all of which have patches available.
- No other camera vendors were observed being targeted by the same infrastructure.
- Check Point links similar past activity to reconnaissance ahead of missile strikes and warns this could be an indicator of follow‑on kinetic activity.
- Mitigations recommended: update firmware, remove direct WAN exposure, isolate cameras on a dedicated VLAN, and monitor for repeated login failures or unusual remote logins.
- Palo Alto Networks’ Unit 42 also reports increased pro‑Russian hacktivist activity, broadening the attack surface in the region.
Context and relevance
The story matters because IoT surveillance feeds are regularly used for digital reconnaissance that supports physical operations. Previous campaigns tied to Iran compromised public cameras shortly before missile strikes; similar targeting now across several countries suggests reconnaissance efforts are continuing alongside kinetic action. Organisations operating IP cameras — especially in the region — should treat this as an elevated threat and act on basic network segmentation and patching advice immediately.
Author style
Punchy: this is concise, alarm‑flag material for security teams and infrastructure owners. The article is worth reading in full if you manage cameras, networks or OT in affected regions — it amplifies why basic IoT hygiene can be the difference between harmless scans and real operational exposure.
Why should I read this?
Look — if you’ve got internet‑connected cameras, you need to care. Check Point’s research shows this is targeted, repeated, and tied to real‑world conflict. We read the tech bits so you don’t have to: patch devices, get them off direct WAN access, and lock them down now.