This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies. Learn more in our privacy policy.

Iran ramped up cyber operations as war broke out

March 10, 2026

IRAN

Cyber attacks exploiting security cameras across the Middle East could spill over to organisations in the UK

IRAN’S regime has intensified cyber operations across the Middle East in attacks that could pose risks for organisations in the UK.

Since the outbreak of the conflict between Iran, the United States and Israel, regime-backed hackers have increasingly exploited vulnerable CCTV cameras and other security systems across the region to gather intelligence and assess the impact of strikes.

A new analysis by Sibylline identifies a surge in Iranian cyber activity linked to the conflict, noting that compromised cameras and other internet-connected devices can provide real-time visibility over sensitive locations.

“What we are seeing is a clear link between cyber operations and kinetic attacks,” says Denise Schipani, analyst in cyber and geopolitical intelligence at Sibylline and author of the report.

“The cameras are likely being used to help inform and tailor retaliatory strikes.”

The findings highlight a growing link between cyber operations and battlefield activity, with digital intrusions used to support military operations rather than simply steal data or disrupt networks.

“Until very recently Iranian cyber activity was largely opportunistic and reactive,” Schipani says.

“The tactical use we are seeing now suggests a more organised capability than previously thought.”

While the activity is currently concentrated in the Middle East, analysts say organisations in Western countries – including the UK – could face limited cyber spillover, particularly where companies operate infrastructure or supply chains in the region.

Researchers say compromised cameras can allow attackers to monitor infrastructure, observe troop movements or assess the aftermath of missile and drone strikes.

The surge in attacks since the outbreak of the conflict has reinforced suspicions that Iranian cyber actors are using such systems to gather operational intelligence.

“The fact that we saw this uptick so soon after the war began helps confirm that link,” Schipani says. “There appears to be a direct connection between cyber activity targeting cameras and the wider military escalation.”

Security analysts say the majority of compromised devices appear to be located in countries that have also been targets of Iranian retaliatory activity during the conflict.

This pattern suggests the cameras are being used to help guide or assess strikes, effectively turning civilian surveillance systems into a network of remote observation points.

Many internet-connected cameras are poorly protected, often relying on default passwords or outdated software that can be easily exploited by attackers scanning the internet for vulnerable devices.

The use of such systems illustrates how modern conflicts increasingly blur the boundaries between civilian technology and military intelligence gathering.

Infrastructure originally installed to monitor buildings, industrial sites or public spaces can quickly become a source of battlefield information once it is compromised.

However, the broader global cyber threat posed by Iran may be more limited than some early warnings suggested.

“The takeaway from the data so far is that the scope of Iranian and pro-Iran cyber activity is far less globalised than many assessments initially predicted,” Schipani says.

Iranian cyber operations have historically focused on espionage campaigns and opportunistic disruptions targeting companies or government organisations.

While pro-Iran hacktivist groups remain active online, their campaigns typically focus on relatively low-level disruptive activity such as website defacement, distributed denial-of-service attacks and the release of stolen data.

“These groups tend to carry out disruptive activity such as data leaks, website defacement or denial-of-service attacks,” Schipani says. “But historically these operations remain relatively low level.”

Hacktivist activity linked to the conflict has primarily targeted organisations perceived as aligned with Western governments or Israeli interests.

Such attacks often aim to generate publicity or demonstrate political support rather than cause sustained operational damage.

However, analysts say some spillover risks remain possible for Western organisations, particularly those with operations or supply chains connected to the region.

Companies in the UK and United States could face opportunistic cyber activity linked to the wider conflict, though such incidents would likely remain limited in scope.

More sophisticated Iranian state cyber units are expected to focus primarily on espionage and intelligence gathering rather than highly destructive attacks on Western infrastructure.

Direct attacks on critical infrastructure in the US or Europe would risk triggering significant retaliation.

For now, analysts say Iran’s cyber activity appears closely tied to developments on the battlefield.

“The focus of the conflict remains the war on the ground,” Schipani says.

“But cyber operations are clearly becoming part of how that war is fought.”

Stay ahead of emerging risk. Get notified whenever Sibylline publishes a new report.