They're just mass scanning for known IoT ports. UPnP opens up the port for everyone. My port number is an example. This blogger found his camera opening up port 80 via UPnP:
Polling sounds the most likely. Note that previously compromised cameras can be used to perform tasks such as port scanning other IP addresses. They can also be used to compromise other devices in the home network.
https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cct...
Also Brian Krebs examined that Foscam camera and found it enabled a P2P protocol and opened a port on the firewall using UPnP as well:
https://krebsonsecurity.com/2016/02/this-is-why-people-fear-...