Skip to content
.ca
sign in
4 mincritical

Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East

Iranian threat actors are actively exploiting vulnerabilities in Hikvision and Dahua IP cameras across the Middle East to support physical warfare operations. The compromised devices are utilized for battle damage assessment (BDA) and targeting correction during kinetic military operations, with exploitation spikes correlating closely with regional geopolitical events.

Sens:ImmediateConf:highAnalyzed:2026-03-03reports

Authors: Check Point Research

ActorsIran-nexus threat actors
HikvisionBDAIP CamerasIranDahua

Source:Check Point

Key Takeaways

  • Iran-nexus threat actors are actively targeting Hikvision and Dahua IP cameras across the Middle East (Israel, Qatar, Bahrain, Kuwait, UAE, Cyprus, Lebanon).
  • Compromised cameras are leveraged for operational support and battle damage assessment (BDA) for missile operations.
  • Attack infrastructure utilizes commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN) and virtual private servers (VPS).
  • Exploitation attempts closely align with geopolitical events, such as anticipated military strikes and regional tensions.
  • Multiple CVEs are being exploited, including authentication bypasses and command injections (e.g., CVE-2021-36260, CVE-2021-33044).

Affected Systems

  • Hikvision IP cameras and NVRs
  • Dahua IP cameras and NVRs

Vulnerabilities (CVEs)

  • CVE-2017-7921
  • CVE-2021-36260
  • CVE-2023-6895
  • CVE-2025-34067
  • CVE-2021-33044

Attack Chain

Threat actors utilize commercial VPNs and VPS infrastructure to scan for publicly exposed Hikvision and Dahua IP cameras. They exploit known vulnerabilities (such as CVE-2021-36260 and CVE-2021-33044) to bypass authentication or execute arbitrary commands on the devices. Once compromised, the cameras are used to monitor physical locations, providing battle damage assessment (BDA) and targeting support for kinetic military operations.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — IoT devices such as IP cameras typically do not support the installation of EDR agents, making endpoint-level visibility non-existent. Network Visibility: High — Exploitation attempts, scanning activity, and subsequent C2 communications from the cameras can be highly visible via network monitoring and firewall logs. Detection Difficulty: Moderate — While detecting exploitation requires network-level visibility and monitoring of IoT VLANs (which many organizations lack), the scanning patterns and use of known commercial VPN IPs are identifiable.

Required Log Sources

  • Firewall logs
  • Network flow logs
  • VPN access logs
  • Web Application Firewall (WAF) logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual inbound connections to IP cameras from known commercial VPN exit nodes (Mullvad, ProtonVPN, Surfshark, NordVPN).Firewall logs, Network flow logsInitial AccessLow
Monitor for IP cameras initiating unexpected outbound connections to external IP addresses, indicating potential C2 communication or data exfiltration.Firewall logs, Network flow logsCommand and ControlLow
Identify repeated failed login attempts or unexpected remote logins to camera management interfaces.Application logs, Authentication logsInitial AccessMedium

Control Gaps

  • Lack of EDR support on IoT devices
  • Publicly exposed management interfaces
  • Unpatched legacy firmware on end-of-life devices

Key Behavioral Indicators

  • Unusual outbound traffic originating from IoT VLANs
  • Inbound traffic from commercial VPNs to IoT devices
  • Repeated login failures on camera interfaces

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Remove direct WAN access to cameras and NVRs.
  • Block inbound port-forwarding to camera devices.
  • Change default passwords and enforce unique credentials on all IP cameras.

Infrastructure Hardening

  • Place cameras behind a VPN or zero-trust access gateway.
  • Isolate cameras on a dedicated VLAN with no lateral access to corporate or OT networks.
  • Tightly control outbound traffic from cameras, allowing only required update or cloud endpoints.
  • Keep cameras, NVR firmware, and management software updated.
  • Remove or replace end-of-life devices that no longer receive security fixes.

User Protection

  • N/A

Security Awareness

  • Educate physical security and IT teams on the operational risks of publicly exposed IoT devices, especially during periods of heightened geopolitical tension.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1090 - Proxy
  • T1078.001 - Valid Accounts: Default Accounts

Related