Iranian-linked attackers are engaging in cyber warfare as part of efforts to facilitate and intensify real-world physical attacks, a trend Amazon refers to as cyber-enabled dynamic targeting.
The development shows that the line between state-sponsored cyberattacks and violent warfare is becoming increasingly blurred, necessitating a new category of warfare, the tech giant’s threat intelligence team said in a report shared with Hacker News.
While traditional cybersecurity frameworks have treated digital and physical threats as separate areas, CJ Moses, CISO at Amazon Integrated Security, said these boundaries are artificial and nation-state threat actors engage in cyber reconnaissance operations that enable dynamic targeting.
Moses added, “These are not just cyberattacks that happen to cause physical damage, but coordinated campaigns with digital operations specifically designed to support physical military targets.”
As an example, Amazon said it observed Imperial Kitten (also known as Tortoise Shell), a hacker group believed to be affiliated with the Iranian Islamic Revolutionary Guards Corps (IRGC), conducting digital reconnaissance from December 2021 to January 2024 targeting ships’ Automatic Identification System (AIS) platforms to gain access to critical transportation infrastructure.
The attacker was subsequently identified attacking additional maritime shipping platforms, and in one case even gained access to CCTV cameras mounted on maritime vessels, providing real-time visual information.
The attack progressed to a targeted intelligence gathering phase on January 27, 2024, when Imperial Kitten conducted targeted searches of AIS location data for specific transport vessels. Just days later, the same ship was the target of an unsuccessful missile attack by Iran-backed Houthi militants.
Houthi forces are believed to have been involved in a series of missile attacks on commercial ships in the Red Sea in support of the Palestinian militant group Hamas in its war with Israel. On February 1, 2024, Yemen’s Houthis claimed to have attacked a US merchant ship named KOI with “several appropriate naval missiles.”
“This incident shows how cyber operations can provide adversaries with the precise information they need to launch targeted physical attacks against maritime infrastructure, which is a critical component of global commerce and military logistics,” Moses said.
Another case study concerns MuddyWater, a threat actor associated with Iran’s Ministry of Intelligence and Security (MOIS), which established infrastructure for cyber network operations in May 2025 and then used that server a month later to access another compromised server containing live CCTV streams from Jerusalem and gather real-time visual intelligence of potential targets.
On June 23, 2025, around the time Iran launched a widespread missile attack on the city, Israel’s National Cyber Directorate revealed that “Iranians were trying to connect cameras to improve accuracy and understand what was happening and where the missiles hit.”
To carry out these multi-layered attacks, threat actors allegedly routed traffic through anonymizing VPN services, obscuring its true origin and complicating attribution efforts. This finding highlights that espionage-focused attacks may eventually become a launching pad for dynamic targeting.
“State actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks,” Amazon said. “This trend represents a fundamental evolution in warfare, as the traditional boundaries between cyber and kinetic operations are dissolving.”
Source link
