Following the US and Israeli kinetic strikes on Iran on February 28, threat intelligence indicates Iran has merged its digital and physical operations into a unified strategic framework.
Check Point Research published findings on March 4 detailing intensified unauthorized access campaigns against IP cameras from two major manufacturers, attributing the activity to Iranian threat actors. These campaigns began on February 28, aligning with the missile strikes. Researchers noted this activity "extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus, countries that have also experienced significant missile activity linked to Iran."
The timeline of these unauthorized access campaigns—such as the targeting of IP cameras in Israel and Qatar in mid-January, and subsequent targeting in Lebanon, led Check Point to conclude that the threat actors use camera compromise for operational support and battle damage assessment. As noted in their report, "As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity."
To protect infrastructure against these campaigns, organizations should prioritize addressing known vulnerabilities in Hikvision and Dahua cameras. The threat actors focus on authentication and command-related issues, specifically CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, and CVE-2025-34067 in Hikvision devices, alongside CVE-2021-33044 in Dahua equipment. Patches for all listed vulnerabilities are available, and applying them is a primary defense against this surveillance capability.
The strategy of using compromised cameras to support physical military action has historical precedent. "We observed similar targeting patterns during the 12-day war between Israel and Iran in June 2025, likely to support battle damage assessment and/or targeting correction," Check Point reported. "One of the best-known cases occurred when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile and had reportedly taken control of a street camera facing the building just prior to the hit." Sergey Shykevich, threat intelligence group manager at Check Point Research, stated that utilizing camera access to allow missile strikes "is part of Iranian war doctrine."
Broader operational activity
Beyond surveillance equipment, Iran-aligned actors maintain a wider spectrum of operational activity. Flashpoint shared research detailing ongoing targeting of industrial control systems (ICS) in Israel and other regions; logistics disruption, including unauthorized access to the Jordan Silos and Supply General Company via phishing; and distributed denial-of-service (DDoS) campaigns against government entities in the UAE and Bahrain. Flashpoint also tracks concurrent propaganda campaigns and kinetic strikes against data centers.
Adam Meyers, CrowdStrike's senior vice president of counter-adversary operations, observed that while Tehran directs its primary focus toward a kinetic response, "CrowdStrike has observed muted IRGC-linked retaliatory cyberattacks, which are limited in scope." However, CrowdStrike recorded an increase in pro-Iranian, Russian-aligned activist operations targeting ICS, SCADA systems, and CCTV networks at US-based organizations.
"The timing of these unverified claims, coinciding with Operation Epic Fury, suggests [Iran's allies] likely began prioritizing US entities as targets," Meyers wrote. "Western organizations should continue to remain on high alert for potential cyber-response as the conflict continues, and activity may move beyond hacktivism and into destructive operations."
An integrated strategic framework
While combining digital and physical operations is an established practice—seen extensively in Russia's ongoing targeting of industrial infrastructure in Ukraine, the current activity demonstrates a highly integrated approach. Shykevich noted that while digital-to-kinetic pathways exist in the Russia-Ukraine conflict, "it is not something very common, or at least not frequently publicly documented."
Alexander Leslie, senior adviser at Recorded Future, explained that digital operations remain one of Iran's most scalable military options, particularly when conventional capabilities face constraints.
"This is not a traditional linear conflict," Leslie stated. "It is an integrated campaign in which kinetic operations, cyber effects, psychological operations, and economic coercion are sequenced. If you're looking for a single decisive battlefield moment, you'll miss the point. The strategy is to impose costs across domains, stretch air defenses, spike shipping and insurance risk, exploit cyber vulnerabilities, and flood the information environment so decisionmakers move before verification."
Kathryn Raines, cyber threat intelligence team lead for the National Security Solutions team at Flashpoint, emphasized that "what we're seeing in the Middle East right now isn't an anomaly — it's the new blueprint for modern warfare."
She added: "We are firmly in the era of hybrid tactics, where traditional boundaries have completely collapsed. Cyber operations offer a low-cost, high-impact way to shape the physical battlespace, not to mention there's an extremely low barrier to entry for hacktivists and other proxies wanting to get involved. Things like hacking IP cameras for real-time battle-damage assessment or breaching a power grid to blind an adversary's air defenses just minutes before a missile barrage will become standard operating procedure."