Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Iran-linked Hikvision and Dahua surveillance camera targeting campaign

Campaign
First reported
Last updated
Happening score
H score 54
2 unique sources, 2 articles

Summary

Hide ▲

A coordinated campaign is targeting Hikvision and Dahua surveillance cameras across the Middle East, increasing the risk that compromised devices could support military planning and reconnaissance. The activity is linked to Iranian threat infrastructure and intensified on February 28, with additional targeting in Lebanon on March 1. The operation relies on commercial VPN exit nodes and virtual private servers and scans for known flaws such as CVE-2021-33044 and CVE-2017-7921. Patches exist, but exposed cameras remain attractive reconnaissance targets.

Related Happenings

Iran-linked proxy cyber-physical device scanning campaign

Campaign
First: 27.03.2026 16:42 Last: 27.03.2026 16:42 Sources 1

About this happening: Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...

Open Happening

Iran's network of traffic cameras hit by cyberattack

Incident
First: 27.03.2026 16:42 Last: 27.03.2026 16:42 Sources 1

About this happening: The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...

Open Happening

Iran MOIS embeds cybercriminal services into offensive operations

Threat Actor Meta
First: 12.03.2026 23:11 Last: 12.03.2026 23:11 Sources 1

About this happening: **Iran's MOIS** is increasingly using the **cybercriminal underground** to support offensive operations, making attribution harder and raising the risk of **destructive activity**...

Open Happening

Hikvision and Dahua camera exploitation wave (active targeting)

Exploitation Wave
First: 06.03.2026 16:01 Last: 06.03.2026 16:01 Sources 1

How related: The bugs they use include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895 for Hikivision ; and CVE-2025-34067 and CVE-2021-33044 in the case of Dahua.

About this happening: An **active exploitation wave** is targeting **Hikvision** and **Dahua IP cameras**, using multiple authentication and command-related flaws to compromise exposed devices. The wav...

Open Happening

MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm

Campaign
First: 06.03.2026 12:23 Last: 06.03.2026 12:23 Sources 1

About this happening: **MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...

Open Happening

Timeline

  1. 04.03.2026 17:00 1 articles · 2mo ago

    Iran-linked Hikvision and Dahua surveillance camera targeting campaign

    Initial Disclosure

    Initial activity centered on **targeted scanning** on **January 14–15**. That early phase coincided with Iranian airspace restrictions and appears to have preceded the broader late-February surge.

    Show sources
    Open in new tab
  2. 04.03.2026 02:00 1 articles · 2mo ago

    Iran-linked camera targeting expands across the Middle East

    Campaign Scope Update

    Check Point Research reported on March 4 that Iranian threat actors intensified targeting of Hikvision and Dahua IP cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus. The activity used CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, and CVE-2021-33044 and was assessed as supporting battle damage assessment and possible follow-on missile activity.

    Show sources
    Open in new tab