Nation-States Use Compromised Surveillance Cameras for Targeting, Report Says

State actors are using compromised video surveillance cameras to support battle damage assessments or correct their missile targeting during the war in the Gulf region.

Check Point Research (CPR) observed intensified cyber-targeting of cameras during the first few hours of hostilities between the United States, Israel, and Iran. That included a sharp increase in exploitation attempts against IP cameras in Israel and other Gulf countries, especially the UAE, Qatar, Bahrain, and Kuwait. CPR traced the activity to different attack infrastructures attributed to Iran-affiliated threat actors, based on the servers and VPNs used to carry out the campaign.

Scanning activity targeted cameras such as Hikvision and Dahua, leveraging known vulnerabilities—including some that have been known and patchable since 2017—to take over devices and gain on-the-ground surveillance on potential targets.

CPR identified earlier periods of exploitation, including on 14 January, “coinciding with the peak of anti-regime protests in Iran, a period during which Iran anticipated potential action from the United States and Israel and temporarily closed its airspace.”

Similar Iranian targeting of cameras was seen during Israel’s 12-day war with Iran in June 2025. Director-General of the Israel National Cyber Directorate Yossi Karadi said last year that Islamic Republic forces took control of a street camera outside the Weizmann Institute of Science in Rehovot just before it struck the building with a ballistic missile.

Iran isn’t the only nation taking advantage of surveillance camera vulnerabilities, though. Israeli intelligence sources described to the Financial Times how they used real-time data from traffic cameras around Tehran to assemble an accurate picture of Iranian Supreme Leader Ali Khamenei’s routine before his assassination.

In 2025, more than 20 international agencies warned of a Russian state-sponsored campaign to hack into IP cameras at logistic and technology companies. “The threat actors used a variety of methods to gain access, including credential guessing, spearphishing for credentials, spearphishing delivering malware, and exploitations of other vulnerabilities,” Security Management reported.

Russian-linked cyber actors also hacked security cameras in Kyiv, Ukraine, to observe infrastructure targets and air defenses, Ukrainian officials warned in January 2024.

“The advantages of co-opting a civilian camera network are presence and expense,” Peter W. Singer, a military-focused researcher at the New America Foundation, told WIRED. “The adversary's already done the work for you. They've placed cameras all around a city."

Hacking cameras is cheaper and easier than relying on high-altitude drones or satellites, and it’s a stealthier method than drones, Singer said. Meanwhile, there are so many vulnerabilities for IoT devices like IP cameras that end users are unlikely to diligently stay on top of patching, leaving the door open for nation-state actors to take advantage.

Check Point Research provided five recommendations for defenders:

• Eliminate public exposure. Remove direct WAN access to cameras or NVRs; place them behind a VPN or zero-trust access gateway; block inbound port-forwards.
  
  
• Enforce strong credentials. Change default passwords on devices and enforce unique credentials.
  
  
• Patch management. Keep cameras and NVR firmware and management software updated. Updates from the manufacturers are readily available. Remove or replace end-of-life devices that no longer get security patches.
  
  
• Network segmentation. Isolate surveillance cameras on a dedicated VLAN with no lateral access to corporate or operational technology networks. Tightly control your outbound traffic.
  
  
• Monitoring and detection. Watch for repeated login failures or unexpected remote logins, as well as cameras initiating unusual outbound connections.