Amazon’s threat intelligence experts have documented two cases showing how Iran leveraged hacking in preparation for physical strikes, in what the company calls ‘cyber-enabled kinetic targeting’.
The internet giant has shared information on two case studies observed in recent years that involved threat actors linked to Iran.
The first case study involved a threat group known as Imperial Kitten and Tortoiseshell. The threat actor, believed to be operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) since at least 2017, is known for its long-term operations, as well as for targeting military and defense entities.
Using data from customers, partners, and its own threat intelligence systems, Amazon was able to piece together a timeline for an operation that spanned more than two years, progressing from digital spying to a physical attack.
According to Amazon, Imperial Kitten compromised a ship’s Automatic Identification System (AIS) platform in December 2021, gaining access to critical shipping infrastructure.
In August 2022, Imperial Kitten was seen hacking additional maritime vessel platforms, and in one case it collected real-time visual intelligence by accessing CCTV cameras on a ship.
In January 2024, the threat actor searched AIS location data for a certain ship. A few days later, on February 1, 2024, that vessel was targeted in a missile strike by Iran’s allied Houthi forces.
“While the missile strike was ultimately ineffective, the correlation between the cyber reconnaissance and kinetic strike is unmistakable,” Amazon pointed out.
The second case study presented by Amazon is more recent and involves MuddyWater, a threat group linked by US Cyber Command to the Iranian Ministry of Intelligence and Security (MOIS).
The hackers were observed provisioning a server for what Amazon described as “cyber network operations” in mid-May 2025. Less than one month later, on June 17, the threat actor leveraged the same server infrastructure to access a compromised server used for live CCTV streams from Jerusalem.
Researchers believe this was used to collect real-time visual intelligence of potential targets in the city in preparation for a June 23 missile attack launched by Iran.
Israeli authorities warned on the same day that Iran had leveraged hacked security cameras to adjust missile strikes, urging citizens to disconnect internet-exposed cameras.
Amazon has coined the term ‘cyber-enabled kinetic targeting’ because it believes current terminology is not specific enough for these types of attacks. The company noted that ‘cyber-kinetic operations’ are cyberattacks that cause physical damage, while ‘hybrid warfare’ is too broad.
“Amazon researchers suggest cyber-enabled kinetic targeting as a more precise term for campaigns where cyber operations are specifically designed to enable and enhance kinetic military operations,” Amazon explained.
The company added, “We believe that cyber-enabled kinetic targeting will become increasingly common across multiple adversaries. Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks. This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.”
The findings were described on Tuesday in a blog post and in a presentation at the CYBERWARCON conference.
Amazon urged defenders to “adapt their strategies to address threats that span both digital and physical domains”.
“Organizations that historically believed they weren’t of interest to threat actors could now be targeted for tactical intelligence,” the company said. “We must expand our threat models, enhance our intelligence sharing, and develop new defensive strategies that account for the reality of cyber-enabled kinetic targeting across diverse adversaries.”
Amazon has been highly active in the threat intelligence space in recent days. The company has issued a warning about a financially motivated campaign involving 150,000 malicious NPM packages. It also revealed that two Cisco and Citrix product vulnerabilities had been exploited as zero-days.
Related: Iranian Hackers Target Defense and Government Officials in Ongoing Campaign
Related: Iranian APT Targets Android Users With New Variants of DCHSpy Spyware
Related: Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning
