Iranian Cyber-Kinetic Operations Targeting Surveillance and Communications Infrastructure
Reporting and analysis indicate Iranian threat actors have increasingly integrated cyber operations with kinetic objectives following the Feb. 28 U.S.-Israel strikes on Iran. Check Point Research assessed intensified targeting of IP cameras—notably devices from Hikvision and Dahua—across Israel and parts of the Gulf (including Qatar, Bahrain, Kuwait, the UAE, and Cyprus), with activity patterns suggesting use for operational support and battle damage assessment tied to missile launches; the research highlights that monitoring camera-targeting infrastructure may provide early warning of follow-on kinetic activity. Separately, commentary on Iranian cyber posture argues the apparent “quiet” is not simply loss of capability, describing a resilient, decentralized operating model and noting prior disruption to leadership and infrastructure (e.g., “Operation Epic Fury”) without eliminating Iran’s ability to conduct operations.
Additional reporting described U.S. Cyber Command participation in coordinated cyber/space actions intended to disrupt Iranian communications and sensor networks during the opening phase of hostilities, and cited claims (attributed to external reporting) that compromised traffic cameras and penetrated mobile networks were used to support real-time intelligence for targeting decisions in Tehran. Other items in the set cover unrelated law-enforcement actions against cybercrime services (e.g., takedowns of Tycoon2FA and LeakBase, and a Phobos ransomware guilty plea), a separate report on suspected DPRK-linked intrusions against cryptocurrency firms, and a general discussion of ransomware market dynamics post-LockBit; these do not materially add to the Iran cyber-kinetic camera/communications targeting narrative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Iran-linked wiper campaign hits about 50 Israeli companies
During the current conflict, Iranian cyber operations reportedly included thousands of wiper attacks against Israeli targets, with Check Point saying roughly 50 Israeli companies were successfully compromised. Researchers described the activity as showing a new level of scale, effect, and sophistication alongside coordinated mass text messaging and camera-enabled targeting.
CrowdStrike assesses IRGC-linked retaliation as limited in scope
CrowdStrike assessed that IRGC-linked retaliatory cyberattacks following the strikes were relatively muted and limited in scope. At the same time, it observed increased pro-Iranian Russian hacktivist targeting of US entities’ ICS/SCADA and CCTV networks.
Flashpoint reports broader Iran-linked regional cyber activity
By early March 2026, Flashpoint highlighted additional Iran-linked activity including ICS targeting, alleged phishing-led logistics sabotage against Jordan’s silos and supply company, and DDoS attacks on government entities in the UAE and Bahrain. The reporting also referenced propaganda operations and missile strikes against data centers as part of a broader hybrid campaign.
Iran imposes a nationwide internet blackout
Iran responded by implementing a nationwide internet blackout, sharply limiting the duration and impact of the opposing cyber campaign. Analysis described the decisive cyber window as lasting only a few hours before connectivity was cut.
Compromised BadeSaba app used for psychological operations
During the campaign, push notifications were reportedly sent through the Iranian prayer app BadeSaba as part of cyber-enabled psychological operations. The compromise was also assessed as potentially valuable for intelligence collection because of the app’s location access.
Localized mobile disruption reported near Khamenei compound
In the same early operational window, localized disruption of mobile communications near Ali Khamenei’s compound reportedly hindered protective warnings during an assassination operation. The disruption was described as part of cyber support to kinetic action.
US and Israeli cyber operations disrupt Iranian communications and sensors
During the opening hours of the campaign against Iran, US and Israeli cyber operations reportedly disrupted communications and sensor networks to support time-sensitive kinetic targeting. Reporting cited compromised Tehran traffic cameras and penetrated mobile networks as sources of real-time intelligence.
Iranian-attributed camera targeting intensifies across the Middle East
Beginning February 28, 2026, Check Point Research observed intensified targeting of Hikvision and Dahua IP cameras in multiple Middle Eastern countries and Cyprus. The activity was assessed as supporting operational reconnaissance and battle-damage assessment for missile operations.
US and Israeli strikes on Iran trigger a new phase of hybrid operations
On February 28, 2026, US and Israeli strikes on Iran marked the start of a new phase in which cyber activity was described as being integrated with kinetic military action. Subsequent reporting framed this as an emerging Iranian cyber-kinetic doctrine.
Israel-Iran conflict features Iranian targeting of internet-connected cameras
During the June 2025 Israel-Iran conflict, Iranian operators were reported to target IP cameras in patterns later cited as an early example of cyber activity supporting military operations. One reported case said Iran controlled a street camera before a strike on Israel’s Weizmann Institute of Science.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Iran's hackers are on the offensive against the US and Israel - Ars Technica
arstechnica.com
Open sourceDecoding the Strategic Quiet of Iranian Cyber Groups
shieldworkz.com
Open sourceIran's Cyber-Kinetic War Doctrine Takes Shape
darkreading.com
Open sourceThe Four Hour Cyber War on Iran | Lawfare
lawfaremedia.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-linked cyber activity escalates alongside Middle East hostilities, including IP camera targeting and DDoS campaigns
Iran-attributed cyber activity increased alongside escalating Middle East hostilities, with researchers reporting intensified targeting of internet-connected **IP cameras** across **Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus**, and later specific areas in **Lebanon**. Check Point assessed the activity as consistent with Iranian doctrine of leveraging compromised cameras for operational support and *battle damage assessment (BDA)* tied to missile operations, noting that tracking camera-targeting infrastructure may provide early warning of potential follow-on kinetic activity. Separately, Radware reported **149 Iran-linked DDoS attacks** observed between **Feb 28 and Mar 2**, largely aimed at **government entities in the Middle East**, and attributed most activity to three hacktivist groups: **Keymous+**, **DieNet**, and **Conquerors Electronic Army**. Additional OSINT-driven infrastructure analysis described broader Iranian state-aligned clustering using indicators such as **ASN patterns** and **TLS fingerprints** to map suspected operational infrastructure, while commentary from industry sources emphasized that **destructive “wiper” malware** remains a key concern (citing families including **ZeroCleare**, **Meteor**, **Dustman**, **DEADWOOD**, and **Apostle**). A separate ransomware “monthly state” roundup and a detection-engineering newsletter were not specific to this Iran/Middle East activity and do not materially support the incident reporting.
Mar 21, 2026
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026
State-Linked Hacking of Traffic and Security Cameras to Support Kinetic Targeting in the Israel–Iran Conflict
Reporting indicates **state-linked operators are compromising or attempting to compromise internet-exposed traffic and security cameras** to support real-world military and intelligence operations in the Israel–Iran conflict. Multiple outlets cited by *Schneier on Security* describe **Israel hacking Iranian traffic cameras** to help track movements and assist in the killing of Iranian leadership, with broader context reportedly covered by *The New York Times* on the overall intelligence operation. Separately, *Risky Business* reports a **spike in scanning and exploitation attempts against Hikvision and Dahua cameras** across Israel and several Middle East countries (including Qatar, Bahrain, Kuwait, the UAE, and Cyprus), attributed to a group tied to the **Iranian government**. Check Point assessed the activity included attempts to exploit **older, known vulnerabilities**, and analysts believe the intent was to obtain street-level imagery for **targeting support, battle-damage assessment, and propaganda**; similar camera-focused activity was also noted during earlier periods of heightened tension and prior regional strikes, reinforcing camera compromise as an emerging, repeatable battlefield tactic.
Apr 2, 2026