Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.
The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giant’s threat intelligence team said in a report shared with The Hacker News.
While traditional cybersecurity frameworks have treated digital and physical threats as separate domains, CJ Moses, CISO of Amazon Integrated Security, said these delineations are artificial and that nation-state threat actors are engaging in cyber reconnaissance activity to enable kinetic targeting.
“These aren’t just cyber attacks that happen to cause physical damage; they are coordinated campaigns where digital operations are specifically designed to support physical military objectives,” Moses added.
As an example, Amazon said it observed Imperial Kitten (aka Tortoiseshell), a hacking group assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), conducting digital reconnaissance between December 2021 and January 2024, targeting a ship’s Automatic Identification System (AIS) platform with the goal of gaining access to critical shipping infrastructure.
Subsequently, the threat actor was identified as attacking additional maritime vessel platforms, in one case even gaining access to CCTV cameras fitted on a maritime vessel that provided real-time visual intelligence.
The attack progressed to a targeted intelligence gathering phase on January 27, 2024, when Imperial Kitten carried out targeted searches for AIS location data for a specific shipping vessel. Merely days later, that same vessel was targeted by an unsuccessful missile strike carried out by Iranian-backed Houthi militants.
The Houthi forces have been attributed to a string of missile attacks targeting commercial shipping in the Red Sea in support of the Palestinian militant group Hamas in its war with Israel. On February 1, 2024, the Houthi movement in Yemen claimed it had struck a U.S. merchant ship named KOI with “several appropriate naval missiles.”
“This case demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure – a critical component of global commerce and military logistics,” Moses said.
Another case study concerns MuddyWater, a threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS), that established infrastructure for a cyber network operation in May 2025, and later used that server a month later to access another compromised server containing live CCTV streams from Jerusalem to gather real-time visual intelligence of potential targets.
On June 23, 2025, around the time Iran launched widespread missile attacks against the city, the Israel National Cyber Directorate disclosed that “Iranians have been trying to connect to cameras to understand what happened and where their missiles hit to improve their precision.”
To pull off these multi-layered attacks, the threat actors are said to have routed their traffic through anonymizing VPN services to obscure their true origins and complicate attribution efforts. The findings serve to highlight that espionage-focused attacks can ultimately be a launchpad for kinetic targeting.
“Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks,” Amazon said. “This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.”
