Hackers connected to Iran analyzed ship AIS data just days before a missile strike attempt occurred in the real world.

Threat actors with ties to Iran have increasingly engaged in cyber warfare to facilitate and enhance physical, real-world attacks, a trend identified by Amazon as cyber-enabled kinetic targeting. This development indicates a blurring of lines between state-sponsored cyber attacks and kinetic warfare, prompting the need for a new category of warfare, as highlighted in a report shared with The Hacker News. CJ Moses, CISO of Amazon Integrated Security, noted that traditional cybersecurity frameworks have treated digital and physical threats as separate domains, which he described as artificial. He emphasised that nation-state threat actors are conducting cyber reconnaissance activities specifically designed to support physical military objectives, rather than merely causing incidental physical damage.

One notable example is the hacking group Imperial Kitten, also known as Tortoiseshell, which is assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). Between December 2021 and January 2024, this group conducted digital reconnaissance targeting a ship’s Automatic Identification System (AIS) platform to gain access to critical shipping infrastructure. The group later attacked additional maritime vessel platforms, even accessing CCTV cameras on a vessel to gather real-time visual intelligence. On January 27, 2024, Imperial Kitten conducted targeted searches for AIS location data of a specific shipping vessel, which was subsequently targeted by an unsuccessful missile strike from Iranian-backed Houthi militants. This case illustrates how cyber operations can provide adversaries with the precise intelligence necessary for targeted physical attacks against vital maritime infrastructure, which is crucial for global commerce and military logistics.