Digital Reconnaissance: Iran-Aligned Hackers Hijack Middle Eastern Surveillance Grids Ahead of Kinetic Strikes

Researchers at Check Point have disclosed that since the eruption of hostilities on February 28th, a coalition of Iranian threat syndicates has been aggressively scouring the digital landscape for vulnerable, internet-exposed surveillance cameras across Israel and a multitude of Middle Eastern nations. According to Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research, the enterprise has intercepted hundreds of exploitation attempts targeting the firmware of two prominent IP camera manufacturers: Hikvision and Dahua.

The crosshairs of this hostile infrastructure encompass Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, Cyprus, and Lebanon. Check Point correlates these targeted vectors with regions that have recently endured pronounced, Iran-linked ballistic activity. Analysts astutely recalled that Iranian state apparatuses possess a storied history of leveraging cyberespionage to orchestrate kinetic operations, frequently co-opting municipal surveillance grids. Check Point elucidated this with an exemplar from June 2025: syndicates tethered to Iran’s Ministry of Intelligence and Security usurped servers hosting live CCTV feeds from Jerusalem, a maneuver followed mere days later by a barrage of rocket strikes upon the holy city.

In a nascent dossier promulgated this Wednesday, Check Point characterized this current surge of interest in surveillance optics by “several actors aligned with Iran” as a potentially ominous harbinger of impending physical escalations. The corporation asserts that the assailants’ architecture masterfully amalgamated commercial VPN conduits (encompassing Mullvad, ProtonVPN, Surfshark, and NordVPN) with leased virtual private servers. Notably, their reconnaissance sweeping was surgically restricted to Hikvision and Dahua appliances, exhibiting no inclination to probe alternative marques.

Check Point enumerates a specific registry of vulnerabilities serving as the bedrock for these exploitation endeavors: authentication bypass flaws within Hikvision firmware (CVE-2017-7921), command injection vulnerabilities within the Hikvision web component (CVE-2021-36260) and Intercom Broadcasting System (CVE-2023-6895), unauthenticated remote code execution within the Hikvision Integrated Security Management Platform (CVE-2025-34067), alongside authentication circumvention within an array of Dahua architectures (CVE-2021-33044). Remediating patches are presently available for all delineated defects.

Cybersecurity sentinels observed analogous stratagems during the twelve-day kinetic engagement between Israel and Iran in June 2025, wherein compromised optical feeds were ostensibly utilized to conduct post-strike battle damage assessments. As a chilling testament, Check Point cites the bombardment of the Weizmann Institute of Science, which reportedly sustained a ballistic missile strike shortly following the insidious compromise of a street-facing camera surveilling the edifice.

Check Point’s defensive prescriptions strongly advocate for the immediate elevation of firmware and software to their most contemporary iterations. Furthermore, administrators are vehemently exhorted to sever direct internet access to these cameras, securely isolate the devices within dedicated Virtual Local Area Networks (VLANs) devoid of lateral conduits to corporate or technological enclaves, and institute rigorous monitoring for recurrent authentication failures and anomalous remote access patterns. Shykevich noted that while Check Point has yet to observe incursions directed against sovereign American targets, the enterprise acknowledges the profound potential for an escalation of hostilities in the ensuing days or weeks.

Against the backdrop of the prevailing conflict, Check Point assesses that the overwhelming preponderance of Iranian cyber aggression remains fixated upon Israel and the Gulf States. This malice most frequently manifests as disinformation campaigns, cyberespionage, and distributed denial-of-service (DDoS) bombardments orchestrated by a myriad of “hacktivist” collectives. While select state-sponsored cadres wield the formidable potential to execute devastatingly destructive operations, participants in such campaigns frequently embellish their triumphs to maximize psychological and public impact.

An ancillary peril, according to Justin Moore, Senior Manager at Palo Alto Networks’ Unit 42, stems from a burgeoning crescendo of pro-Russian hacktivist machinations observed over the preceding week. Unit 42 postulates that this ideological alignment significantly broadens the regional attack surface, thereby amplifying the probability of highly destructive stratagems—tactics intimately familiar from prior offensives waged against the interests of NATO and broader European institutions.