Iran linked threat actors are ramping up cyberattacks on internet connected IP cameras amid escalating Middle East tensions. Starting late February 2026, these coordinated efforts have hit devices in Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. This isn’t random hacking it’s a tactical move blending cyber ops with real-world military actions, turning everyday surveillance into frontline intelligence tools.
Experts first spotted the surge on February 28, with attackers masking their tracks via popular VPNs like Mullvad, ProtonVPN, Surfshark, and NordVPN, plus VPS servers tied to Iran. Similar spikes hit earlier: January 14-15 during Iran’s airspace shutdown over U.S. strike fears, and January 24 amid a U.S. Central Command visit to Israel. By early February, as IRGC chatter warned of regional war, attempts exploded again. Check Point Research data shows these align perfectly with geopolitical flashpoints, underscoring how cyber tools now fuel physical conflicts.
Why Hikvision and Dahua Cameras?
Attackers zero in on Hikvision and Dahua, two giants dominating global IP camera markets—Hikvision holds about 30% share worldwide per 2025 IDC reports, Dahua around 15%. These brands blanket public spaces, critical infrastructure like power plants and airports, and commercial hubs in the region.
Key Vulnerabilities Exploited
Check Point mapped five flaws, all with patches available yet widely ignored:
- CVE-2017-7921 (Hikvision): Improper authentication in firmware, letting attackers skip logins.
- CVE-2021-36260 (Hikvision): Command injection via web server, enabling remote shell access.
- CVE-2023-6895 (Hikvision): OS command injection in Intercom Broadcasting System.
- CVE-2025-34067 (Hikvision): Unauthenticated remote code execution in Integrated Security Management Platform—disclosed just months ago.
- CVE-2021-33044 (Dahua): Authentication bypass across multiple products.
NIST’s database rates most as high-severity (CVSS 8.0+), with RCE flaws allowing full device takeover. Krebs on Security reported in early 2026 that 60% of scanned Middle East cams remain exposed, often due to legacy installs in high-risk zones.
Attack Waves by Country
Israel and Qatar bore the brunt peaks of 1,000+ daily attempts per Check Point graphs. Bahrain, Kuwait, UAE, Cyprus, and Lebanon saw steady rises too. This precision targeting suggests state backed ops, not script kiddies.
Essential Defenses for IP Cameras
Organizations must act fast. Here’s a prioritized checklist, drawn from CISA, NIST, and vendor best practices:
- Isolate Networks: Pull cameras/NVRs off the public internet; use VPNs or zero-trust gateways. Segment via VLANs, block unnecessary outbound traffic.
- Patch Aggressively: Update firmware weekly Hikvision’s portal offers auto-checks. Ditch EOL devices; replace with patched models.
- Secure Credentials: Ban defaults; enforce 16+ char passphrases, MFA where possible. Rotate quarterly.
- Monitor Actively: Logins, failed auths, odd outbound (e.g., to C2 servers). Tools like Splunk or open source ELK detect anomalies.
- Advanced Steps: Deploy web app firewalls (WAFs) tuned for CVE exploits. Run vulnerability scanners like Nessus. Conduct red-team sims quarterly.
Broader Risks and Global Lessons
No other makers faced hits from this infrastructure, making Hikvision/Dahua prime for live visual intel. In the June 2025 Israel Iran clash, compromised cameras aided battle damage checks and missile tweaks one chilling case: hackers seized a street cam near Israel’s Weizmann Institute right before a strike.
This campaign signals a dangerous evolution: cyber as kinetic enabler. CISA’s 2026 advisories note IP cameras as top IoT attack vectors, with 40% of breaches starting via unpatched devices. Dark Reading analyses highlight how nation-states like Iran use them for “persistent surveillance.” Globally, over 1.5 million exposed cameras run vulnerable firmware, per Shodan scans. 2026 ENISA reports link similar Iran clusters to 25% more IoT exploits region-wide.
AI enhances it tools auto analyze feeds for anomalies, boosting strike accuracy by 15-30% (per MITRE assessments). IBM’s 2026 report pegs average IoT breach at $4.5 million. UAE firms cut exposures 70% post-2025 audits via air-gapped setups.
Staying Ahead in 2026
As conflicts rage, expect more hybrid threats. Train teams on IoT risks—free CISA modules cover basics. Partner with MSSPs for 24/7 monitoring. Ultimately, proactive defense turns vulnerabilities into strengths.
Check out more on our blog page now → AI, Tech, Cybersecurity
