Iran Exploits Cyber Domain to Aid Kinetic Strikes TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadApplication SecurityInfamous Shai-hulud Worm Resurfaces From the DepthsInfamous Shai-hulud Worm Resurfaces From the DepthsbyAlexander CulafiNov 24, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCyber RiskCybersecurity OperationsVulnerabilities & ThreatsNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificIran Exploits Cyber Domain to Aid Kinetic StrikesThe country deploys "cyber-enabled kinetic targeting" prior to — and following — real-world missile attacks against ships and land-based targets.Robert Lemos, Contributing WriterNovember 26, 20254 Min ReadSource: Skorzewiak via ShutterstockIranian advanced persistent threat (APT) groups have used cyberattacks for scoping out targets ahead of real-world attacks to improve operations and following kinetic strikes to assess damage, making Iran the latest nation to blend cyberattacks and military operations, according to cyber-conflict experts.In a Nov. 19 analysis, Amazon used data from its vast cloud network to connect the dots between cyber events and military operations, highlighting two cases where Iran used cyberattacks to gain reconnaissance into real world targets — hacking ship systems before a missile attack and compromising CCTV cameras in Israel before and during missile attacks on Jerusalem. The threat actors used VPN networks, dedicated server infrastructure, and compromised corporate systems to construct their attack infrastructure.Calling the strategy "a fundamental shift in how nation-state actors approach warfare," Amazon researchers termed the approach "cyber-enabled kinetic targeting.""Traditional cybersecurity frameworks often treat digital and physical threats as separate domains, [but] research by Amazon demonstrates that this separation is increasingly artificial," the researchers stated in the analysis. "Multiple nation-state threat groups are pioneering a new operational model where cyber reconnaissance directly enables kinetic targeting."Related:WhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilAmazon is not the only company to warn of these attacks, and Iran is not the only country known to use them.Most Iranian groups are likely trying to compromise devices to provide "on the ground" intelligence for Iran's military, says Sergey Shykevich, threat intelligence group manager for cybersecurity firm Check Point Software. During the 12-day war this past June, exploitation of vulnerabilities in IP cameras in Israel jumped by 15 times, he says."We know that most of that was connected to specific Iranian groups," Shykevich says. "We definitely saw sharp increase in targeting of cameras in Israel."Putting the Pieces TogetherWhile other countries are likely using the same tactics, Amazon gained visibility into Iranian activities because of its in-depth view across its network and those of its customers. Amazon threat intelligence researchers used telemetry from honeypot systems to gain visibility into suspicious patterns, threat actors' infrastructure, and the topologies of command-and-control networks. Opt-in customer data and intelligence sharing from industry partners provided additional pieces that could be used to assemble the rest of the puzzle.Related:Data Leak Outs Hacker Students of Iran's MOIS Training AcademyIn one case, the researchers detected when Imperial Kitten, a group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), compromised the Automatic Identification System (AIS) platform for different maritime vessels, starting in December 2021. In some cases, the attackers gained access to CCTV cameras aboard the vessels. The activity continued, and in January 2024, the attackers focused on a specific vessel. Five days later, Houthi forces targeted the ship with a missile strike, which "was ultimately ineffective," the Amazon researchers stated in the analysis."This case demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure — a critical component of global commerce and military logistics," the threat researchers stated.In a second incident, the researchers tracked the attempts by MuddyWater, a group linked to Iran's Ministry of Intelligence and Security (MOIS), to use livestreams from compromised CCTV servers in Jerusalem to help targeting and damage assessment from a broad missile strike against the city.Amazon separated these cyber-enabled kinetic targeting from other blended forms of military operations, such as hybrid warfare — a term that is too broad — and cyber-kinetic operations — which usually applies to cyberattacks that cause real-world damage, the company's researchers said.Related:China Hackers Test AI-Optimized Attack Chains in TaiwanBlended WarfareOther countries use cyber-enabled targeting, but likely not to the extent that Iran has or will. In Russia's invasion of Ukraine, "there was no statistically significant difference in targeting before and after the invasion," according to a paper on the Russo-Ukrainian war published by the Center of International and Strategic Studies (CSIS) in July 2023."The utility of cyber operations rests in setting conditions and intelligence more than in direct application during large-scale combat operations," the paper stated. "While cyber-enabled targeting supports combat, the data shows that larger cyber campaigns do not radically shift during wartime."However, Iran has increasingly found itself isolated with fewer proxies willing to take action outside of its borders, says Alexis Rapin, a cyber-threat analyst with cybersecurity firm ESET. Israel's attacks on Hezbollah in Lebanon has weakened those allies of Iran, while the country had to pull forces out of Syria. As Iran continues to reinforce its network of proxies, cyber reconnaissance and espionage allows action-at-a-distance, he says."Cyber could be an alternative to compensate for this loss of visibility on the ground and, for instance, the loss of human [intelligence] sources," he says. "One of the added values of cyber espionage is that ... it enables near real-time monitoring of the situation."Seeking those and other benefits, Iran will keep experimenting with what cyber can achieve, Rapin says.Read more about:DR Global Middle East & AfricaAbout the AuthorRobert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert Lemos, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersSecure SAST. Innovate Fast: The future of SaaS and Cloud SecurityWhat Can an AI-Powered AppSec Engineer Do?How Squarespace and Semgrep Scaled Secure Development Across Thousands of ReposMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Iran’s strategic shift towards integrating cyber operations with kinetic military strikes represents a fundamental alteration in state-sponsored warfare. According to an analysis by Amazon researchers, this “cyber-enabled kinetic targeting” is characterized by a deliberate blurring of the lines between digital and physical threats. The report details two key instances where Iranian advanced persistent threat (APT) groups—Imperial Kitten and MuddyWater—leveraged cyberattacks to directly influence real-world military actions.

In the first incident, Imperial Kitten compromised the Automatic Identification System (AIS) platform of multiple maritime vessels, starting in December 2021, gaining access to CCTV cameras aboard the ships. This reconnaissance ultimately led to a missile strike five days later, orchestrated by Houthi forces, despite the attack being “ultimately ineffective,” according to the Amazon researchers. This case highlights the potential for cyber operations to provide adversaries with the precise intelligence required to conduct targeted physical attacks against critical infrastructure.

The second instance involved MuddyWater attempting to utilize livestream feeds from compromised CCTV servers in Jerusalem to aid targeting and damage assessment during a broader missile strike. This demonstrates a sophisticated effort to anticipate and react to military operations through real-time digital observation.

The researchers emphasized a broader trend—the increasing prevalence of nation-state actors pioneering a new operational model where cyber reconnaissance directly enables kinetic targeting. This approach contrasts with traditional cybersecurity frameworks that treat digital and physical threats as separate domains. Amazon’s investigation revealed that multiple APT groups were utilizing VPN networks, dedicated server infrastructure, and compromised corporate systems to construct their attack infrastructure.

Several experts have corroborated this assessment. Sergey Shykevich, a threat intelligence group manager at Check Point Software, noted a significant increase in targeting of cameras in Israel during the 12-day war, attributing this to Iranian groups. Alexis Rapin, a cyber-threat analyst at ESET, suggested that Iran's isolation—due to weakened proxies—has driven them to seek alternative intelligence gathering methods, stating that cyber espionage could compensate for the loss of human intelligence sources.

The Amazon researchers further distinguished this approach from other blended forms of warfare, like hybrid warfare, and cyber-kinetic operations (cyberattacks that cause direct physical damage). They emphasized a need to carefully disentangle these operations to fully understand the strategic implications.

The trend is not unique. A Center for International and Strategic Studies (CSIS) paper on the Russo-Ukrainian war found no statistically significant difference in targeting before and after Russia's invasion, suggesting that cyber operations are more effective at setting conditions and gathering intelligence rather than delivering immediate damage during large-scale combat. However, the authors underscored that cyber-enabled targeting supports combat operations.

This shift reflects a broader strategic reality, revealed by Rapin, wherein Iran is experimenting with cyber capabilities to gain near real-time monitoring of the situation, particularly in light of diminished human intelligence sources. Essentially, cyber espionage offers a powerful tool for monitoring the evolving dynamics of conflicts.

The Amazon researchers' analysis showcases a new, concerning landscape where nation-states are no longer simply attacking digital systems but actively leveraging cyberattacks to advance their military objectives, demonstrating an increasing convergence of digital and physical warfare.