Executive Summary
In early 2026, nation-state actors, notably from Iran and Russia, intensified cyber operations targeting internet-connected surveillance cameras across the Gulf region and Eastern Europe. These actors exploited known vulnerabilities in IP cameras, such as those from Hikvision and Dahua, to gain unauthorized access. This access enabled real-time intelligence gathering, including monitoring military movements and assessing battle damage. The compromised devices were leveraged to support missile targeting and other strategic operations, significantly impacting regional security dynamics. (asisonline.org)
This incident underscores a growing trend where nation-states exploit unsecured IoT devices for espionage and military advantage. The proliferation of internet-connected cameras with inadequate security measures presents a substantial risk, highlighting the urgent need for robust cybersecurity practices and regulatory oversight to mitigate such threats.
Why This Matters Now
The increasing exploitation of unsecured IoT devices by nation-state actors for surveillance and military operations poses a significant threat to global security. Immediate action is required to enhance the security of internet-connected devices to prevent unauthorized access and potential misuse.
Attack Path Analysis
Adversaries exploited known vulnerabilities in internet-connected surveillance cameras to gain initial access. They escalated privileges by leveraging default credentials and unpatched firmware. Using compromised cameras, they moved laterally to access sensitive networks. Established command and control channels allowed remote surveillance and data exfiltration. Exfiltrated data provided real-time intelligence on targets. The impact included compromised national security and potential physical attacks.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited known vulnerabilities in internet-connected surveillance cameras to gain initial access.
Related CVEs
CVE-2026-1670
CVSS 9.8A critical authentication bypass vulnerability in multiple Honeywell CCTV camera models allows unauthenticated attackers to access camera feeds and take over accounts by changing recovery email addresses.
Affected Products:
Honeywell I-HIB2PI-UL 2MP IP – 6.1.22.1216
Honeywell SMB NDAA MVO-3 WDR_2MP_32M_PTZ – v2.0
Exploit Status:
no public exploitCVE-2025-31700
CVSS 8.1A buffer overflow vulnerability in Dahua CCTV camera firmware allows unauthenticated remote attackers to execute arbitrary code by sending specially crafted network packets.
Affected Products:
Dahua IPC series – various models
Dahua SD series – various models
Dahua DH series – various models
Exploit Status:
proof of conceptCVE-2024-7029
CVSS 9.8A command injection vulnerability in the 'brightness' function of AVTECH IP cameras allows remote code execution, enabling attackers to deploy malware such as the Mirai botnet variant 'Corona'.
Affected Products:
AVTECH IP cameras – various models
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Internet Accessible Device
Video Capture
Exfiltration Over Other Network Medium
Wireless Compromise
Wireless Sniffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Boundary Protection
Control ID: SC-7
PCI DSS 4.0 – System and Software Security
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical infrastructure IP cameras provide nation-state actors surveillance capabilities into government facilities, compromising national security through unencrypted traffic and inadequate segmentation controls.
Defense/Space
Military installations face severe risks from compromised IP cameras enabling adversary reconnaissance, requiring zero trust segmentation and encrypted traffic to prevent intelligence gathering operations.
Banking/Mortgage
Financial institutions' IP camera networks create attack vectors for nation-state surveillance and data exfiltration, necessitating enhanced egress security and multicloud visibility controls.
Health Care / Life Sciences
Healthcare facilities using IP cameras face HIPAA compliance violations and patient privacy breaches through nation-state surveillance, requiring comprehensive threat detection and anomaly response capabilities.
Sources
- Wartime Usage of Compromised IP Cameras Highlight Their Dangerhttps://www.darkreading.com/cyber-risk/wartime-usage-of-compromised-ip-cameras-highlight-their-dangerVerified
- Nation-States Use Compromised Surveillance Cameras for Targeting, Report Sayshttps://www.asisonline.org/security-management-magazine/latest-news/today-in-security/2026/march/camera-compromise-targeting/Verified
- Honeywell CCTV cameras vulnerable to hijacking which allows hackers to crack passwords easilyhttps://www.techradar.com/pro/security/honeywell-cctv-cameras-vulnerable-to-hijacking-which-allows-hackers-to-crack-passwords-easilyVerified
- Hackers could take over millions of Dahua CCTV cameras because of two critical flaws - here's how to stay safehttps://www.techradar.com/pro/security/hackers-could-take-over-millions-of-dahua-cctv-cameras-because-of-two-critical-flaws-heres-how-to-stay-safeVerified
- Mirai Botnet Exploits Zero-Day Vulnerability in AVTECH IP Camerashttps://www.adgm.com/documents/financial-crime-prevention-unit/cybercrime-prevention/20240830-cyber-security-council-alert-409.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the adversaries' ability to exploit surveillance cameras, thereby reducing their lateral movement and data exfiltration capabilities.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The adversaries' ability to exploit known vulnerabilities in surveillance cameras would likely have been constrained, reducing the risk of initial access through such devices.
Control: Zero Trust Segmentation
Mitigation: The adversaries' ability to escalate privileges by exploiting default credentials and unpatched firmware would likely have been constrained, reducing the risk of unauthorized access.
Control: East-West Traffic Security
Mitigation: The adversaries' ability to move laterally from compromised cameras to sensitive networks would likely have been constrained, reducing the risk of unauthorized access to critical systems.
Control: Multicloud Visibility & Control
Mitigation: The adversaries' ability to establish command and control channels for remote surveillance and data exfiltration would likely have been constrained, reducing the risk of data breaches.
Control: Egress Security & Policy Enforcement
Mitigation: The adversaries' ability to exfiltrate data providing real-time intelligence on targets would likely have been constrained, reducing the risk of sensitive information leakage.
The adversaries' ability to compromise national security and facilitate potential physical attacks would likely have been constrained, reducing the overall impact of the incident.
Impact at a Glance
Affected Business Functions
- Surveillance Operations
- Physical Security Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Unauthorized access to live camera feeds and recorded footage, compromising sensitive surveillance data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement from compromised devices.
- • Enforce strong credentials and regular firmware updates to prevent privilege escalation.
- • Deploy East-West Traffic Security to monitor and control internal network communications.
- • Utilize Egress Security & Policy Enforcement to detect and block unauthorized data exfiltration.
- • Establish Multicloud Visibility & Control to gain comprehensive insights into network activities.
