Iran has developed a unified cyber-kinetic war doctrine, using cyberattacks to enable physical strikes. Specifically, Iranian threat actors hack IP cameras from manufacturers like Hikvision and Dahua to conduct reconnaissance for missile targeting and battle damage assessment. This activity has intensified following recent conflicts and spans several countries. Beyond camera targeting, Iran's broader cyber retaliation includes attacks on industrial control systems, logistics sabotage, and DDoS campaigns. The integration of these cyber operations with kinetic warfare serves as both an early indicator and a force multiplier for physical attacks.
Iran's Cyber-Kinetic War Doctrine Takes Shape
Iran has been hacking IP cameras to plan missile strikes against its enemies, and mounting other attacks on physical assets, showing how cyber and kinetic warfare are fast becoming one in the same.
Following the US and Israeli attack on Iran on Feb. 28, Iran has unified cyber and kinetic attacks into a single doctrine.
Check Point Research on March 4 published research identifying intensified targeting of IP cameras against two manufacturers, attributed to Iranian threat actors. The attacks began Feb. 28, the day US and Israel missile strikes began. This, researchers said the activity "extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus — countries that have also experienced significant missile activity linked to Iran."
The hacking occurring before the US/Israel attacks (IP camera targeting of Israel and Qatar in mid-January, apparently expectations of a US strike) and after (IP camera targeting specific areas in Lebanon) led Check Point Research to assess that Iran leverages camera compromise for operational support and battle damage assessment as it relates to missile launches. "As a result, tracking camera-targeting activity from specific, attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity," the research read.
The actors are apparently targeting popular Hikvision and Dahua cameras with a number of authentication and command-related vulnerabilities. The bugs they use include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895 for Hikivision ; and CVE-2025-34067 and CVE-2021-33044 in the case of Dahua. Patches for all vulnerabilities are available now.
Iran has a history of utilizing cameras to facilitate military action.
"We observed similar targeting patterns during the 12-day war between Israel and Iran in June 2025, likely to support battle damage assessment and/or targeting correction," according to Check Point. "One of the best-known cases occurred when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile and had reportedly taken control of a street camera facing the building just prior to the hit."
Given the targeting of IP cameras last year and on an even wider basis now, Sergey Shykevich, threat intelligence group manager at Check Point Research, says the use of camera targeting to facilitate missile strikes "is part of Iranian war doctrine."
Iran's Ongoing Cyber Activity
It's worth noting this is not the only cyber activity Iran has conducted as part of its ongoing retaliation.
In an email, Flashpoint shared research with Dark Reading highlighting ongoing targeting of industrial control systems (ICS) in Israel and other countries; logistics sabotage (pro-Iranian actors reportedly breached the Jordan Silos and Supply General Company via phishing); and government entity targeting with DDoS attacks in places like UAE and Bahrain. That's in addition to other activity Flashpoint has tracked in recent days, including ongoing propaganda campaigns and missile strikes against data centers.
Adam Meyers, CrowdStrike's senior vice president of counter-adversary operations, says that as Tehran focuses on its kinetic response, "CrowdStrike has observed muted IRGC-linked retaliatory cyberattacks, which are limited in scope." The company has, however, seen a surge in pro-Iranian Russian hacktivism, including attacks targeting ICS, SCADA systems, and CCTV networks belonging to US-based entities.
"The timing of these unverified claims, coinciding with Operation Epic Fury, suggests [Iran's allies] likely began prioritizing US entities as targets," Meyers writes. "Western organizations should continue to remain on high alert for potential cyber-response as the conflict continues, and activity may move beyond hacktivism and into destructive operations."
Iran's Cyber-Kinetic Battlespace: Familiar, Yet Different
Although the use of cyberattacks in kinetic warfare are far from new in their own right (look to Russia's relentless targeting of industrial infrastructure as part of its invasion of Ukraine), Iran's activity represents a near total blend of the two.
Shykevich says that although there are several examples of the cyber-to-kinetic attack path during the Russia-Ukraine war, "it is not something very common, or at least not frequently publicly documented."
Alexander Leslie, senior advisor at Recorded Future, tells Dark Reading that from a strategic standpoint, cyber remains one of Iran's most scalable military options, especially as conventional operations are constrained.
"This is not a traditional linear conflict," Leslie says. "It is an integrated campaign in which kinetic operations, cyber effects, psychological operations, and economic coercion are sequenced. If you’re looking for a single decisive battlefield moment, you’ll miss the point. The strategy is to impose costs across domains, stretch air defenses, spike shipping and insurance risk, exploit cyber vulnerabilities, and flood the information environment so decisionmakers move before verification."
Kathryn Raines, cyber threat intelligence team lead for the National Security Solutions team at Flashpoint, tells Dark Reading that there's no doubt in her mind that "what we’re seeing in the Middle East right now isn’t an anomaly — it’s the new blueprint for modern warfare."
She adds, "We are firmly in the era of hybrid tactics, where traditional boundaries have completely collapsed. Cyber operations offer a low-cost, high-impact way to shape the physical battlespace, not to mention there’s an extremely low barrier to entry for hacktivists and other proxies wanting to get involved."
So, "things like hacking IP cameras for real-time battle-damage assessment or breaching a power grid to blind an adversary's air defenses just minutes before a missile barrage will become standard operating procedure."
Meridiano
