Multiple Iranian hacking crews have been targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since the war started on February 28, with Check Point security researchers tracking hundreds of attempts to exploit bugs in IP cameras made by Hikvision and Dahua.
As the military conflict reverberates through the region, the parallel cyber campaign underscores a troubling dimension of the broader confrontation. The countries targeted in these digital intrusion attempts—Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—are the same ones that have seen significant missile activity linked to Iran.
Iran traditionally uses digital reconnaissance including compromised cameras to prepare for physical attacks, and as recently as June 2025, threat groups linked to Iran's Ministry of Intelligence and Security compromised servers containing live CCTV streams from Jerusalem, allowing planners to identify targets before missile launches.
The vulnerability targets are well known and patches exist. The flaws include an improper authentication vulnerability in Hikvision IP camera firmware, command injection vulnerabilities in web server components, OS command injection in Hikvision Intercom Broadcasting System, unauthenticated remote code execution in Hikvision's Integrated Security Management Platform, and an authentication bypass vulnerability in multiple Dahua products—all of which have patches available. Yet the attack infrastructure combined commercial VPN exit nodes including Mullvad, ProtonVPN, Surfshark, and NordVPN alongside virtual private servers, which the Iranians used to scan for vulnerabilities in the two specific camera brands.
The activity from infrastructure attributed to several Iran-nexus threat actors may be an early indicator of potential follow-on kinetic activity, according to Check Point's threat intelligence report. This pattern mirrors operations observed during the June 2025 conflict between Israel and Iran.
Parallel to the cyber operations, Trump acknowledged that Mojtaba Khamenei, son of assassinated supreme leader Ali Khamenei, is the most likely successor while insisting he must be involved in picking Iran's next leader, telling reporters that most of the people the administration had in mind are dead.
The statement created immediate tension with Trump's own government. Defense Secretary Pete Hegseth and other US officials have denied that the goal of the operation is regime change, focusing instead on degrading Iran's missile capabilities, nuclear program and Navy. This contradiction between the president's public statements and his administration's official framing raised questions about what success looks like in the conflict.
For organisations across the region, the immediate concern is defending against active exploitation. Check Point has not observed attacks against US targets but assesses the campaign can expand in the upcoming days or weeks. Defenders should prioritise firmware updates for all Hikvision and Dahua systems, remove cameras from direct internet access, and isolate surveillance networks on dedicated VLANs with no access to corporate infrastructure. Monitoring for repeated login failures and unexpected remote logins should begin immediately.
The cyber campaign and the leadership succession question both reflect fundamental uncertainties about the conflict's endgame. Whether Iran develops new leadership capable of restraint, or whether regional cyber-physical integration becomes the new normal for Middle East conflicts, depends on choices being made in boardrooms and military command centres across three continents right now.