Iranian Hackers Use Compromised Cameras for Regional Surveillance

Iranian cyber operations are expanding, focusing on US organizations and utilizing internet-connected cameras across the Middle East for intelligence and battlefield awareness.

Recent incidents linked to APT group MuddyWater, camera-focused infrastructure, and hacktivist group Handala reveal an operational yet constrained ecosystem. This group prioritizes persistence, visibility, and selective disruption over large-scale campaigns.

Since early February 2026, MuddyWater (Seedworm/Static Kitten) has maintained access to US and Canadian organizations, including a bank, an airport, non-profits, and a defense aerospace software supplier.

Research from Symantec and Carbon Black highlights a previously undocumented backdoor named Dindoor, using JavaScript runtime Deno to execute commands and maintain persistence. A separate Python-based backdoor, Fakeset, was also found on airport and non-profit networks.

Data theft was attempted via the Rclone utility to a Wasabi cloud bucket, indicating intelligence collection remains the primary objective rather than immediate disruption.

Cameras as regional ISR sensors

Meanwhile, Iranian-linked infrastructure escalated exploitation attempts against Hikvision and Dahua cameras in Israel and Gulf states starting February 28, 2026, coinciding with regional hostilities. Attacks targeted known vulnerabilities (CVEs) with available patches.

Compromised cameras in Israel, Qatar, Bahrain, Kuwait, the UAE, Lebanon, and Cyprus can provide real-time views of sensitive sites, enabling ISR, emergency response monitoring, and battle damage assessment.

Similar tactics were used in past Iran-Israel conflicts, showing Tehran views commercial IP cameras as an inexpensive reconnaissance tool.

On the disruptive side, Handala claimed a cyberattack against Stryker, a Fortune 500 medical tech company. Attackers allegedly abused Microsoft Intune to wipe devices en masse, forcing manual processes. Handala also claimed stealing 50 TB of data.

Cybersecurity firms tie Handala to Iran’s Ministry of Intelligence and Security (MOIS), positioning the group as a flexible proxy for deniable disruption.

A cyber ecosystem under strain

Iran’s cyber apparatus remains capable but faces infrastructure and command disruption from military strikes and sanctions. Tehran increasingly relies on pre-positioned access, commodity infrastructure, and proxies like Handala due to degraded centralized coordination.

Thus, MuddyWater holds persistent access quietly; Iran-linked operators use exposed cameras for ISR; and hacktivists execute high-impact disruption. Defenders must treat this persistent, adaptive threat as a sustained challenge.

wBaUhwhnx

Related Articles

Back to top button