Recent developments in the Middle East have highlighted a concerning rise in cyber attacks targeting internet-connected IP cameras. These attacks, reportedly linked to Iranian threat actors, have intensified since February 2026, posing a significant risk to regional security.
Escalating Cyber Threats in the Middle East
The cyber campaign began in late February 2026, with a noticeable increase in attempts to compromise IP cameras across several countries, including Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. The attackers utilized commercial VPN services such as Mullvad, ProtonVPN, Surfshark, and NordVPN to obscure their origins, pointing to sophisticated planning and execution.
Check Point Research has been closely monitoring the situation, noting that these cyber activities are strategically timed with major geopolitical events. For instance, a significant spike in exploitation was recorded in January 2026, aligning with Iran’s temporary airspace closure over fears of a potential U.S. military operation.
Targeting High-Value Surveillance Devices
The primary targets of these cyber attacks are IP cameras produced by Hikvision and Dahua, two of the most widely deployed manufacturers in the region. These devices are integral to public surveillance and are found in critical infrastructure and commercial buildings, making them valuable for real-time intelligence gathering.
Exploitation attempts have not targeted cameras from other manufacturers, suggesting a deliberate focus on these particular brands. Such actions highlight the use of camera compromise as a tool in kinetic warfare, as evidenced during the June 2025 conflict between Israel and Iran, where compromised cameras were likely used for battle assessments.
Addressing Known Vulnerabilities
Check Point Research has identified five specific vulnerabilities being exploited in Hikvision and Dahua devices. These include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044, covering issues from improper authentication to remote code execution.
Despite the availability of patches for these vulnerabilities, many devices remain unpatched, exposing them to attacks. Organizations are advised to implement immediate security measures, such as removing cameras from direct internet access, updating firmware, and employing strong authentication practices.
To further mitigate risks, surveillance systems should be isolated on VLANs with restricted outbound communication. Continuous monitoring for suspicious activities is essential to safeguard against these persistent threats.
Stay informed about the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Set CSN as a preferred source for timely updates.
