DURING the ongoing conflict, Check Point Research identified intensified targeting of IP cameras from two manufacturers beginning on 28 February, originating from infrastructure we attribute to Iranian threat actors. The targeting spans Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon and Cyprus, with camera-targeting activity also observed in specific areas of Lebanon on 1 March.
Earlier, on 14–15 January, there were targeted activities against cameras in Israel and Qatar, coinciding with Iran’s temporary closure of its airspace amid expectations of a potential U.S. strike. The activity is linked to an attack infrastructure that uses commercial VPN exit nodes and virtual private servers, and is believed to be employed by multiple Iran-nexus actors, focusing on Hikvision and Dahua devices.
Patches are available for all the vulnerabilities identified, including CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067 and CVE-2021-33044, which were used in exploitation attempts observed since the beginning of the year. The findings suggest Iran leverages camera compromise for operational support and ongoing battle damage assessment for missile operations, potentially prior to launches, with camera-targeting activity serving as an early indicator of possible follow-on kinetic activity.