Executive Summary
In early 2026, Iranian threat actors intensified cyber operations targeting internet-connected surveillance cameras across the Middle East, including Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus. These attacks, which began on February 28, coincided with missile strikes in the region, suggesting a coordinated effort to use compromised cameras for operational planning and battle damage assessment. The targeted devices, primarily from manufacturers Hikvision and Dahua, were exploited using known vulnerabilities, aligning with Iran's established military doctrine of integrating cyber and kinetic warfare. This incident underscores the evolving nature of cyber threats, where digital intrusions are increasingly used to support and enhance physical military operations. Organizations must recognize the strategic use of cyber capabilities in modern conflicts and bolster their defenses accordingly.
Why This Matters Now
The integration of cyber and kinetic operations by nation-states like Iran highlights the urgent need for organizations to secure their digital infrastructure, as cyber intrusions are increasingly used to facilitate and enhance physical attacks.
Attack Path Analysis
Iranian threat actors exploited vulnerabilities in IP cameras to gain unauthorized access, escalated privileges to control the devices, moved laterally to other networked systems, established command and control channels, exfiltrated sensitive data, and conducted missile strikes informed by the compromised surveillance footage.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited known vulnerabilities in Hikvision and Dahua IP cameras, such as CVE-2017-7921 and CVE-2021-33044, to gain unauthorized access to these devices.
Related CVEs
CVE-2017-7921
CVSS 9.8An improper authentication vulnerability in Hikvision IP cameras allows remote attackers to gain unauthorized access.
Affected Products:
Hikvision IP Cameras – Various models
Exploit Status:
exploited in the wildCVE-2021-36260
CVSS 9.8A command injection vulnerability in Hikvision products' web server allows remote attackers to execute arbitrary commands.
Affected Products:
Hikvision Various Products – Various models
Exploit Status:
exploited in the wildCVE-2021-33044
CVSS 9.8An authentication bypass vulnerability in Dahua products allows remote attackers to gain unauthorized access.
Affected Products:
Dahua Various Products – Various models
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Video Capture
Obtain Capabilities: Exploits
Gather Victim Network Information: IP Addresses
Compromise Infrastructure: Network Devices
Capture Camera
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Flaw Remediation
Control ID: SI-2
PCI DSS 4.0 – System and Software Security
Control ID: 6.2
ISO/IEC 27001 – Management of Technical Vulnerabilities
Control ID: A.12.6.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA Zero Trust Maturity Model 2.0 – Asset Management
Control ID: Device Security
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure faces cyber-kinetic warfare targeting IP cameras, SCADA systems, and power grids for battle damage assessment and defensive blinding operations.
Telecommunications
Network infrastructure vulnerable to encrypted traffic exploitation and lateral movement attacks targeting communication systems supporting military and civilian operations.
Defense/Space
Military systems face integrated cyber-kinetic doctrine targeting surveillance cameras, industrial control systems, and data centers for operational intelligence gathering.
Oil/Energy/Solar/Greentech
Energy sector infrastructure targeted through ICS/SCADA compromise and egress security breaches enabling operational disruption and battle space preparation.
Sources
- Iran's Cyber-Kinetic War Doctrine Takes Shapehttps://www.darkreading.com/threat-intelligence/iran-cyber-kinetic-war-doctrineVerified
- Surge in Attacks on Surveillance Cameras Linked to Iranian Hackershttps://www.infosecurity-magazine.com/news/iran-attacks-surveillance-cameras/Verified
- Vulnerable webcams, DVRs subjected to HiatusRAT intrusionshttps://www.scworld.com/brief/vulnerable-webcams-dvrs-subjected-to-hiatusrat-intrusionsVerified
- Vulnerability Summary for the Week of March 24, 2025https://www.cisa.gov/news-events/bulletins/sb25-090Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, and exfiltrate sensitive data, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in IP cameras would likely be constrained, reducing the chances of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the scope of control over compromised devices.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing access to additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing remote operation capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing data loss.
The attacker's ability to leverage exfiltrated data for kinetic operations would likely be constrained, reducing the overall impact.
Impact at a Glance
Affected Business Functions
- Surveillance Operations
- Physical Security Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of surveillance footage and unauthorized access to security systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce strong authentication mechanisms and regular patch management for all devices.
- • Deploy East-West Traffic Security controls to monitor and restrict internal communications.
- • Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities.
- • Establish Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
