Nation-State Actors Blur Lines Between Cyber Warfare and Physical Attacks: Amazon Research Reveals “Cyber-Enabled Kinetic Targeting”

A new era of warfare is emerging, where nation-state actors are increasingly leveraging cyber operations not just to disrupt, but to directly enable and enhance physical military objectives. Recent investigations by Amazon Threat Intelligence teams have uncovered a disturbing trend – what they’ve termed “cyber-enabled kinetic targeting” – signaling a fundamental shift in how conflicts are waged and demanding a reassessment of traditional cybersecurity strategies.

The research demonstrates that the long-held separation between digital and physical threats is becoming increasingly artificial. Multiple nation-state threat groups are now pioneering an operational model where cyber reconnaissance directly precedes and facilitates kinetic – or physical – attacks. “These aren’t just cyber attacks that happen to cause physical damage,” explained a senior Amazon researcher. “They are coordinated campaigns where digital operations are specifically designed to support physical military objectives.”

Amazon’s Unique Visibility into Emerging Threats

Amazon’s ability to identify and track these evolving tactics stems from its unique position within the global threat landscape. The company leverages a multi-faceted approach to threat intelligence, including:

• Threat intelligence telemetry: Amazon’s global cloud operations provide broad visibility into threats across diverse environments, bolstered by intelligence gathered from Amazon MadPot honeypot systems. These systems are designed to detect suspicious patterns, identify actor infrastructure, and map the network pathways used in these campaigns.
• Opt-in customer data: Real-world data about attempted threat actor activities is provided on an opt-in basis from enterprise environments, offering valuable insights into active threats.
• Industry partner collaboration: Threat intelligence sharing with leading security organizations and government agencies provides crucial context and validation for observed activities.

Through this comprehensive approach, Amazon can connect disparate data points that might otherwise remain invisible to individual organizations or even government agencies operating in isolation.

Case Study 1: Imperial Kitten’s Maritime Campaign

One striking example of cyber-enabled kinetic targeting involves Imperial Kitten, a threat group suspected of operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC). The timeline of their activities reveals a clear progression from digital reconnaissance to a physical attack:

• December 4, 2021: Imperial Kitten compromised a maritime vessel’s Automatic Identification System (AIS) platform, gaining access to critical shipping infrastructure. Amazon’s Threat Intelligence team identified the compromise and collaborated with the affected organization to remediate the security event.
• August 14, 2022: The threat actor expanded their maritime targeting to additional vessel platforms, including gaining access to CCTV cameras aboard a ship, providing real-time visual intelligence.
• January 27, 2024: Imperial Kitten began targeted searches for AIS location data for a specific shipping vessel, indicating a shift from broad reconnaissance to focused intelligence gathering.
• February 1, 2024: US Central Command reported a missile strike by Houthi forces against the exact vessel that Imperial Kitten had been tracking. While the missile strike was ultimately ineffective, the correlation between the cyber reconnaissance and the kinetic strike is undeniable.

This case vividly demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against critical maritime infrastructure – a vital component of global commerce and military logistics.

Case Study 2: MuddyWater’s Jerusalem Operations

The connection between cyber activity and kinetic targeting was even more direct in the case of MuddyWater, a threat group attributed by the US government to Rana Intelligence Computer Company, operating at the behest of Iran’s Ministry of Intelligence and Security (MOIS).

• May 13, 2025: MuddyWater provisioned a server specifically for cyber network operations, establishing the infrastructure needed for their campaign.
• June 17, 2025: The threat actor used this infrastructure to access a compromised server containing live CCTV streams from Jerusalem, providing real-time visual intelligence of potential targets within the city.
• June 23, 2025: Iran launched widespread missile attacks against Jerusalem. Simultaneously, Israeli authorities reported that Iranian forces were exploiting compromised security cameras to gather real-time intelligence and adjust missile targeting.

As reported by The Record, the timing was not coincidental. Israeli officials urged citizens to disconnect internet-connected security cameras, warning that Iran was exploiting them to “gather real-time intelligence and adjust missile targeting.”

Technical Infrastructure and Methods

Amazon’s research reveals a sophisticated technical infrastructure supporting these operations. Threat actors employ a multi-layered approach:

• Anonymizing VPN networks: Threat actors route their traffic through anonymizing VPN services to obscure their true origins and hinder attribution efforts.
• Actor-controlled servers: Dedicated infrastructure provides persistent access and command-and-control capabilities for ongoing operations.
• Compromised enterprise systems: The ultimate targets are enterprise servers hosting critical infrastructure, such as CCTV systems, maritime platforms, and other intelligence-rich environments.
• Real-time data streaming: Live feeds from compromised cameras and sensors provide actionable intelligence that can be used to adjust targeting in near real time.

Defining a New Category of Warfare

The research team argues that traditional frameworks are inadequate to describe these hybrid operations. While cyber-kinetic operations typically refer to cyber attacks that cause physical damage, and hybrid warfare is too broad, encompassing multiple types of warfare without specific focus on the cyber-physical integration, Amazon researchers propose cyber-enabled kinetic targeting as a more precise term. This term accurately describes campaigns where cyber operations are specifically designed to enable and enhance kinetic military operations.

Implications for Defenders

This research serves as a critical warning and a call to action for the cybersecurity community. Defenders must adapt their strategies to address threats that span both digital and physical domains. Organizations that previously believed they were not targets for nation-state actors may now be vulnerable due to the tactical intelligence they possess.

Key defensive measures include:

• Expanded threat modeling: Organizations must consider not just the direct impact of cyberattacks, but how compromised systems might be used to support physical attacks against themselves or others.
• Critical infrastructure protection: Operators of maritime systems, urban surveillance networks, and other infrastructure must recognize that their systems are valuable not just for espionage, but as potential targeting aids for kinetic operations.
• Intelligence sharing: The cases underscore the critical importance of threat intelligence sharing between private sector organizations, government agencies, and international partners.
• Attribution challenges: When cyber operations directly enable kinetic attacks, the attribution and response frameworks become more complex, potentially requiring coordination between cybersecurity, military, and diplomatic channels.

The researchers believe that cyber-enabled kinetic targeting will become increasingly common across multiple adversaries. Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks. This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.

Indicators of Compromise

This research was presented at CYBERWARCON by David Magnotti, Principal Engineer, and Dlshad Othman, Senior Threat Intelligence Engineer, both of Amazon Threat Intelligence. The authors thank US Central Command for their transparency in reporting military activities and acknowledge the ongoing support of customers and partners in these critical investigations.