Cyber-related activities of two Iran-linked threat actors played key roles in subsequent high-profile missile strikes, according to Amazon’s Threat Intel team, which sees the incidents as indicative of increased use of cyber operations in support of kinetic attacks.
“We believe that cyber-enabled kinetic targeting will become increasingly common across multiple adversaries,” CJ Moses, CISO of Amazon Integrated Security, wrote in a blog post documenting the two incidents. “Nation-state actors are recognizing the force multiplier effect of combining digital reconnaissance with physical attacks. This trend represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving.”
While not a new development in the age of hybrid warfare, the incidents documented by Amazon shed new light on how missile strikes in the Red Sea and Israel were directly supported by cyber espionage efforts to gather target reconnaissance.
Imperial Kitten hacks into maritime ship tracking system
One of the kinetic attacks Amazon was able to correlate to cyber operations occurred in early February 2024 when Houthi rebels launched missiles at a commercial vessel in the Red Sea as part of a campaign to disrupt shipping through the area.
The strike was unsuccessful, with US Central Command reporting on Feb. 1 that two Houthi-fired missiles impacted the water without hitting the ship, resulting in no injuries or damage reported. However, Amazon’s threat intelligence data now shows that an APT group known as Imperial Kitten searched Automatic Identification System (AIS) location data for that exact same vessel days prior.
Active since at least 2017, Imperial Kitten, also known as Tortoiseshell or TA456, is a threat actor believed to be part of Iran’s Islamic Revolutionary Guard Corps (IRGC). Over the years the group has targeted the maritime industry, including shipbuilding as well as shipping logistics organizations, alongside other industries such as defense, technology, telecommunications, and energy.
According to Amazon, the group compromised a vessel’s AIS platform in December 2021 and followed up with attacks in 2022 on additional vessel systems, including on-board CCTV cameras aboard one ship.
AIS is an automatic tracking system that uses VHF radio to exchange information about a ship’s identification, position, speed, and course with shore stations as well as other vessels. Gaining access to a ship’s AIS platform would allow hackers to search for other vessels as well.
Because the Houthis are backed by Iran and a known APT linked to the Iranian government was seen searching AIS data for a specific vessel days before it was targeted in a Houthi-launched missile attack, Amazon believes the correlation is “unmistakable.”
“This case demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure — a critical component of global commerce and military logistics,” Amazon’s Moses said.
MuddyWater uses hacked CCTV cameras to help guide missiles
Amazon also found supporting threat intel evidence for another Iran-linked incident involving cyber espionage and missile strikes that has received some official confirmation.
After the US strikes against Iran’s nuclear sites in June, Iran retaliated by launching a barrage of missiles against Israel, targeting cities such as Tel Aviv and Jerusalem. A former Israeli cybersecurity official warned that Iranian operatives were trying to access private surveillance cameras to assess the impact of their strikes and improve their accuracy.
Israel’s National Cyber Directorate also confirmed to Bloomberg at around the same time that CCTV systems were increasingly targeted by Iranian hackers.
Amazon’s data shows that MuddyWater, a threat group linked to an Iranian company acting as a front for Iran’s Ministry of Intelligence and Security (MOIS), accessed a compromised server containing live CCTV streams from Jerusalem days before a widespread Iranian missile attack against the city.
Access to the compromised CCTV server was achieved via server infrastructure that MuddyWater had set up in May for its cyber operations, showing a direct link to the group.
The targeting of CCTV cameras for intelligence gathering in support of military operations is not unique to Iran. In May 2024, intelligence agencies from the US and multiple NATO countries warned in a joint advisory that Russia’s military intelligence agency, the GRU, hacked into cameras at key locations, such as near border crossings, military installations, and rail stations, in Ukraine and neighboring countries. The goal was to track the movement of materials into Ukraine as part of aid shipments.
“For the cybersecurity community, this research serves as both a warning and a call to action,” Amazon’s Moses said. “Defenders must adapt their strategies to address threats that span both digital and physical domains. Organizations that historically believed they weren’t of interest to threat actors could now be targeted for tactical intelligence.”
Amazon suggests organizations should expand their threat modeling to consider how their compromised IT systems could be used to support physical attacks, especially the operators of critical infrastructure, maritime systems, urban surveillance networks, and other data sources that could be used to aid targeting in kinetic operations. The company has coined the term “cyber-enabled kinetic targeting” for cyber operations whose goal is to facilitate and enhance kinetic military operations.
No Responses