Full Report
Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting. The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giant's
Analysis Summary
# Threat Actor: Imperial Kitten (aka Tortoiseshell)
## Attribution & Identity
* **Primary Attribution:** Assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC).
* **Aliases:** Tortoiseshell.
## Activity Summary
* **Cyber-Enabled Kinetic Targeting:** Imperial Kitten was observed conducting digital reconnaissance specifically designed to support physical military objectives, part of a trend Amazon terms "cyber-enabled kinetic targeting."
* **Maritime Reconnaissance (Dec 2021 - Jan 2024):** Engaged in digital reconnaissance targeting ship's **Automatic Identification System (AIS)** platforms to gain access to critical shipping infrastructure.
* **Intelligence Gathering (Jan 27, 2024):** Carried out targeted searches for AIS location data of a specific shipping vessel.
* **Subsequent Kinetic Event:** Days later, that same vessel was targeted by an unsuccessful missile strike carried out by Iranian-backed Houthi militants.
* **Visual Intelligence:** Successfully gained access to CCTV cameras fitted on a maritime vessel to acquire real-time visual intelligence.
## Tactics, Techniques & Procedures
* Digital reconnaissance integrated with physical targeting.
* Exploiting/targeting AIS platforms.
* Gaining access to maritime vessel infrastructure (including CCTV).
* Performing targeted intelligence gathering on physical asset locations.
* Routing traffic through anonymizing VPN services to obscure origins.
## Targeting
* **Sectors:** Maritime/Shipping Infrastructure, critical infrastructure related to global commerce and military logistics.
* **Geography:** Not explicitly stated, but related to international shipping lanes targeted by Houthi militants (e.g., Red Sea region inference).
* **Victims:** Specific maritime vessels and their associated digital platforms (e.g., AIS).
## Tools & Infrastructure
* *No specific malware families or infrastructure details were explicitly listed for Imperial Kitten in the provided text.* Traffic obscuration involved the use of **anonymizing VPN services**.
## Implications
* This activity demonstrates a clear blurring of lines between cyber warfare and kinetic warfare, showcasing how cyber capabilities are directly used to facilitate physical attacks (Cyber-enabled kinetic targeting).
* Espionage-focused attacks serve as a direct launchpad for kinetic targeting against critical infrastructure.
## Mitigations
* Implement enhanced monitoring and defense protocols for critical infrastructure controlling maritime/shipping assets (e.g., AIS systems).
* Develop detection capabilities for reconnaissance activities that precede physical attacks.
* Analyze network traffic for anomalies suggesting the use of anonymizing overlay networks (VPNs) for potential intelligence-gathering operations.
***
# Threat Actor: MuddyWater
## Attribution & Identity
* **Primary Attribution:** Linked to Iran's Ministry of Intelligence and Security (MOIS).
## Activity Summary
* **CCTV Intelligence Gathering (May - June 2025):** Established cyber network infrastructure in May 2025. A month later, this infrastructure was used to access a compromised server containing live CCTV streams originating from **Jerusalem**.
* **Intelligence for Kinetic Strikes:** This real-time visual intelligence was gathered around the time Iran launched widespread missile attacks; purportedly used to understand missile impact locations and improve future precision strikes.
## Tactics, Techniques & Procedures
* Establishing dedicated infrastructure for cyber network operations.
* Accessing compromised servers hosting live video feeds (CCTV).
* Gathering real-time visual intelligence of potential kinetic targets.
* Routing traffic through anonymizing VPN services.
## Targeting
* **Sectors:** Infrastructure related to Israeli strategic locations (implied by CCTV targets).
* **Geography:** Jerusalem (source of CCTV streams).
* **Victims:** Organizations hosting or providing access to live CCTV feeds in Jerusalem.
## Tools & Infrastructure
* *Specific malware not detailed, but dedicated server infrastructure was established in May 2025.* Trafficked through **anonymizing VPN services**.
## Implications
* Confirms the use of Iranian state actors (MOIS-linked) in cyber operations designed to directly refine the precision of kinetic missile attacks against high-value geopolitical targets.
* Cyber operations are being used for post-strike assessment to enhance future kinetic actions.
## Mitigations
* Monitor for network connections attempting to access or exfiltrate data from security camera streams or related infrastructure.
* Heightened vigilance for suspicious infrastructure setup targeting high-value geographic regions.