Recent findings indicate that Iranian-linked threat actors are increasingly combining cyber operations with real-world military objectives, a practice Amazon calls cyber-enabled kinetic targeting. By using digital reconnaissance to support physical attacks, these groups are demonstrating a significant evolution in modern warfare where cyber and kinetic domains are no longer separate.
Blurring the Lines Between Cyber and Physical Attacks
Traditional security frameworks have treated digital threats and physical attacks as distinct. However, Amazon Integrated Security’s CISO, CJ Moses, emphasized that nation-state actors are leveraging cyber operations specifically to prepare for physical strikes. According to Moses, these operations are coordinated campaigns designed to deliver precise intelligence to facilitate kinetic attacks, rather than accidental digital incidents that cause collateral damage.
Case Study: Imperial Kitten and Maritime Reconnaissance
Amazon reported that the hacking group Imperial Kitten, also known as Tortoiseshell, and assessed as linked to Iran’s IRGC, conducted extensive cyber reconnaissance from December 2021 to January 2024. Their targets included ships’ Automatic Identification System (AIS) platforms, maritime vessel networks, and even CCTV cameras on vessels to collect real-time visual intelligence.
On January 27, 2024, Imperial Kitten performed targeted searches for AIS data of a specific ship. Just days later, Iranian-backed Houthi militants launched a missile attack on the same vessel, though the strike was unsuccessful. The Houthis have previously targeted commercial shipping in the Red Sea, supporting Palestinian militant operations against Israel. On February 1, 2024, they claimed to have struck the U.S. merchant ship KOI with several naval missiles.
This demonstrates how cyber reconnaissance can provide attackers with the precise intelligence needed to conduct targeted attacks on maritime infrastructure, which is critical for global commerce and military logistics.
Case Study: MuddyWater and Real-Time Visual Intelligence
Another Iran-linked threat actor, MuddyWater, reportedly connected to Iran’s Ministry of Intelligence and Security (MOIS), established cyber infrastructure in May 2025. A month later, this infrastructure was used to access live CCTV streams from Jerusalem to gather real-time intelligence on potential targets.
During June 23, 2025, coinciding with Iranian missile strikes on the city, Israel’s National Cyber Directorate noted that Iranian actors were attempting to access cameras to determine strike locations and improve missile precision. These multi-layered attacks demonstrate the integration of cyber espionage with kinetic military operations.
Obfuscation and Attribution Challenges
To evade detection and hinder attribution, threat actors routed their activity through anonymizing VPN services. This approach highlights how espionage-focused cyber attacks can directly support physical operations, making attribution and defense significantly more complex.
