Pierluigi Paganini
November 20, 2025
Iran-linked threat actors mapped ship Automatic Identification System (AIS) data shortly before an attempted missile strike, showing how Tehran-aligned groups use cyber operations to support and amplify real-world kinetic attacks.
The research demonstrates that the thin line between cyber warfare and traditional kinetic operations is rapidly blurring.
Amazon’s threat intel teams say nation-state actors are increasingly using cyber operations to support and enhance physical (kinetic) attacks, a trend they call cyber-enabled kinetic targeting.
“We’re seeing a fundamental shift in how nation-state actors approach warfare. These aren’t just cyber attacks that happen to cause physical damage; they are coordinated campaigns where digital operations are specifically designed to support physical military objectives.” reads the report published by Amazon.
In a first case described by Amazon experts, Iran-linked APT Imperial Kitten used cyber intrusions to support real-world maritime attacks. In December 2021 they breached a vessel’s AIS platform, and by August 2022 expanded their campaign, even accessing onboard CCTV for real-time intelligence. On January 27, 2024 they searched for AIS data on a specific ship, marking a shift to targeted tracking. Days later, on February 1, 2024, Houthi forces launched a missile strike on that same vessel. The case shows how cyber reconnaissance can directly enable precise kinetic attacks on maritime targets.
A second case described by the researchers, Iran-linked APT MuddyWater was involved in cyber ops supporting kinetic attacks. On May 13, 2025, it set up servers for its campaign. By June 17, it accessed another compromised server streaming live CCTV feeds from Jerusalem, gaining real-time intelligence. On June 23, Iran launched missile strikes on the city, while Israeli officials confirmed attackers used hacked cameras to adjust targeting. The case highlights how compromised surveillance systems can directly support physical attacks.
“The timing is not coincidental. As reported by The Record, Israeli officials urged citizens to disconnect internet-connected security cameras, warning that Iran was exploiting them to “gather real-time intelligence and adjust missile targeting.”” continues the report.
Amazon’s research shows Iranian-linked groups using layered cyber infrastructure to support physical attacks. They hide activity through anonymizing VPNs, use actor-controlled servers for persistent operations, and infiltrate enterprise systems like CCTV networks and maritime platforms to access high-value intelligence. Real-time data streams from compromised sensors enable attackers to adjust targeting during military strikes. Amazon introduces a new term, cyber-enabled kinetic targeting, to describe cyber operations that directly help and improve real-world military attacks, since existing terms don’t fully capture this.
“We believe that cyber-enabled kinetic targeting will become increasingly common across multiple adversaries.” concludes the report. “Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks. This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cyber-enabled kinetic targeting)
Security / November 19, 2025
Cyber Crime / November 19, 2025
