Iran’s Cyber-Enabled Kinetic Targeting: Amazon Details Coordinated Cyber–Physical Attacks

Amazon’s threat intelligence division has released new research revealing how Iranian state-linked groups have combined cyber intrusions with real-world military strikes — a tactic the company terms “cyber-enabled kinetic targeting.” The findings highlight a growing trend in modern warfare, where digital reconnaissance directly informs physical attacks.

Case Study 1: Imperial Kitten and Maritime Targeting

The first example involves Imperial Kitten, also known as Tortoiseshell — an advanced threat actor believed to operate on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, the group is known for long-term espionage efforts against military and defense organizations.

Amazon reconstructed a two-year timeline of activity:

• December 2021: Imperial Kitten compromised a commercial ship’s Automatic Identification System (AIS), gaining visibility into critical maritime operations.

• August 2022: The group expanded its access to additional vessel platforms, collecting real-time CCTV footage from at least one ship.

• January 2024: The threat actor queried AIS location data for a specific vessel.

• February 1, 2024: That same vessel was targeted in a missile strike by Houthi forces, Iran’s regional allies.

While the missile impact was ultimately ineffective, Amazon emphasizes that the sequencing shows a clear linkage between cyber reconnaissance and live fire operations.

Case Study 2: MuddyWater and CCTV Reconnaissance in Jerusalem

A second, more recent example involves MuddyWater, an Iranian group associated with the Ministry of Intelligence and Security (MOIS).

Amazon observed:

• May 2025: MuddyWater provisioned infrastructure to support cyber operations.

• June 17, 2025: The same systems were used to access a compromised server streaming live CCTV feeds from Jerusalem.

• June 23, 2025: Iran launched a missile attack on the city.

Israeli authorities later warned that attackers had used hacked security cameras to adjust missile targeting, urging citizens to disconnect exposed surveillance devices.

Why Amazon Introduced New Terminology

Amazon argues existing language — such as cyber-kinetic operations or hybrid warfare — fails to capture the specificity of these campaigns.

• Cyber-kinetic operations typically refer to cyberattacks that directly cause physical damage.

• Hybrid warfare is too broad and includes economic, political, and psychological operations.

Amazon defines cyber-enabled kinetic targeting as:

The company warns that this tactic will grow more common across nation-state actors, as integrating digital intelligence with real-world force becomes a strategic multiplier.

Implications for Defenders

Amazon urges organizations to rethink their threat models:

• Entities not traditionally considered high-value cyber targets may still be exploited for tactical intelligence, including camera footage, location data, or infrastructure access.

• Defenders must strengthen intelligence sharing, monitoring, and cross-domain threat analysis.

• Security teams should prepare for attacks where cyber compromise is not the end goal, but a preparation step for kinetic operations.

Amazon released these findings at CYBERWARCON, alongside recent reports on zero-day exploitation and large-scale malicious package campaigns.