Everyone figured cyber would tag along in this Middle East flare-up — a distraction, maybe some DDoS noise. But Check Point Research just dropped data showing Iranian threat actors ramping up IP camera scans in lockstep with missile launches. It’s not coincidence. It’s doctrine.
Iran closed airspace January 14, spooked by U.S.-Israel chatter. Same day? Scans spike on cameras in Israel and Qatar. February 28, hostilities kick off — boom, intensified targeting across Israel, UAE, Qatar, Bahrain, Kuwait, even Cyprus and Lebanon spots. These aren’t random pings. They’re probing Hikvision and Dahua gear, the cheap staples in so many security setups.
Taken together, these findings are consistent with the assessment that Iran, as part of its doctrine, use camera compromise for operational support and ongoing battle damage assessment (BDA) for missile operations, potentially in some cases prior to missile launches.
That’s Check Point’s mic-drop line. And it’s gold — because it flips the script. Cyber isn’t support anymore. It’s the forward scout.
When Do Iranian Camera Scans Spike?
Look at the timeline. January 14-15: Anti-regime protests rage inside Iran; they blame Uncle Sam and Israel, shutter skies. CPR spots waves against Israeli cams, Qatar too, even Iraqi Kurdistan. January 24: CENTCOM boss lands in Israel for pow-wows. More scans. Early February: IRGC whispers of U.S. strikes, regional war fears. Guess what follows?
Gulf states light up February 28. Qatar waves. Bahrain pulses. Kuwait joins. All tied to infrastructure Check Point pins on Iran-nexus crews — Mullvad VPNs, Proton, Surfshark, Nord, mixed with VPS nodes. No other vendors hit. Just Hikvision, Dahua.
It’s surgical. And scary precise.
Which Vulnerabilities Are Iranian Hackers Exploiting?
Here’s the tech meat — and why orgs in the crosshairs need to patch yesterday.
CVE-2017-7921: Hikvision auth slip-up.
CVE-2021-36260: Command injection in the web server.
CVE-2023-6895: OS command injection in intercom gear.
CVE-2025-34067: Unauth RCE in security platform.
CVE-2021-33044: Dahua auth bypass across products.
Patches exist for all. But let’s be real — how many exposed cams in Bahrain boardrooms or UAE malls are still running ancient firmware? Check Point deep-dived two: that Dahua bypass and old Hikvision auth hole. Exploitation bids from Iran infra since New Year’s. Waves match geo-heat.
And — here’s my unique angle, absent from the report — this mirrors WWII photo recon flights. Pilots snapped bridges, factories pre-bombing runs. Adjust for 2026: Bots pwn cams for live BDA, target tweaks mid-salvo. Iran’s not inventing; they’re digitizing old-school intel fusion. Bold call? Every intel shop will soon dashboard camera scan surges as missile precursor alerts. Mark it.
Short version: Hybrid war’s here. Cyber primes the guns.
Why Gulf States — And Cyprus? — In the Crosshairs
Israel? Obvious. But Qatar hosts U.S. bases. Bahrain’s Fifth Fleet home. Kuwait, UAE — all U.S. allies stacking arms against Iran. Cyprus? Turkish ties, Israeli intel outposts. Lebanon? Hezbollah turf, Iran’s proxy playground.
Missiles flew there too. Scans preceded. It’s recon blanket before kinetic punch.
But here’s the skepticism: Iran-nexus attribution holds — shared VPN/VPS fingerprints — yet no post-exploit chatter leaked. Are they in? Or just mapping? Either way, it spooked enough to spike alerts.
Data-driven truth: Spikes aren’t hype. They’re correlated to the hour with headlines. CENTCOM visits, airspace shutdowns, missile salvos. Correlation this tight screams causation in threat hunting.
Battle Damage Assessment via Backyard Cams
Remember June 2025’s 12-day Israel-Iran dust-up? Cameras compromised for BDA, likely mid-fight corrections. Now it’s playbook standard. Compromise cams — get eyes on impacts, adjust fire.
Pre-launch too? January scans say yes. Expect U.S., Israel, GCC now scraping IoT logs for Iranian IOCs. Mullvad egress? Red flag. Dahua probes? Evacuate drills.
Critique time: Check Point’s sharp, but they undersell the vendor blame. Hikvision, Dahua — Chinese giants — still ship vulns yearly. Patches? Sure. But why the persistence? Geopolitics — Iran loves it, customers lag patching. Corporate spin says ‘we fixed it.’ Reality: Millions exposed.
So. Patch. Segment. Air-gap critical cams if you can’t. Or become Iran’s free feed.
This intel shifts defenses. Track scans, not just launches.
🧬 Related Insights
- Read more: Apple’s Surprise iOS 18.7.7 Rollout Shields Older iPhones from DarkSword Onslaught
- Read more: Android’s StrongBox Patch Fixes a Hidden Threat to Your Phone’s Deepest Secrets
Frequently Asked Questions
What vulnerabilities are Iranian hackers targeting in IP cameras?
Hikvision’s CVE-2017-7921 (auth flaw), CVE-2021-36260 (command injection), CVE-2023-6895 (OS injection), CVE-2025-34067 (RCE); Dahua’s CVE-2021-33044 (auth bypass). All patched — update now.
How is Iran using hacked IP cameras in Middle East conflicts?
For battle damage assessment (BDA), operational support, possibly pre-missile targeting. Scans spike before launches in Israel, Gulf states.
Which countries saw Iranian IP camera targeting?
Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, Cyprus — all missile hot zones.
