Amazon Warns: Nation-State Hackers Tying Cyber Attacks to Real-World Strikes

A new investigation from Amazon’s threat intelligence team reveals that nation-state actors are increasingly blending cyber intrusions with real-world military operations — marking one of the clearest shifts yet in modern warfare. 

The report highlights multiple campaigns in which Iranian-linked groups used compromised ship systems, security cameras, and other digital infrastructure to support missile targeting and physical strikes.

“The new Amazon Threat Intelligence findings highlight a shift we’ve been edging toward for years: anything connected can become part of the cyber battlefield,” said Omer Tal, Director of Innovation and Research in the CTO Office at Seemplicity. 

He warned, “We’re now seeing commercial CCTV streams show up in missile-targeting workflows – systems that were never built with national security anywhere in the design conversation.” 

Tal continued, “No organization can assume ‘why would anyone target us?’ You don’t control the end use of your compromised systems. An attacker doesn’t need your data; they just need your access. 

He added, “A routine foothold in a corporate network can turn into real-world targeting intelligence. That’s the new reality, and it’s why visibility and control over your exposure surface matter just as much for private companies as for governments.”

Iranian APTs Turn Hijacked Cameras Into Targeting Tools

In the first case, a threat group known as Imperial Kitten — linked to Iran’s Islamic Revolutionary Guard Corps — spent more than two years escalating access to maritime systems. 

The group compromised a vessel’s Automatic Identification System in late 2021, expanded to additional ships in 2022, and eventually accessed onboard CCTV cameras, giving operators real-time visual intelligence. 

By early 2024, their reconnaissance narrowed to a specific vessel. Days later, Houthi forces launched a missile strike on that same ship.

A second campaign, attributed to Iran’s MuddyWater group, showed an even more immediate connection between cyber access and kinetic action. 

After provisioning new command-and-control (C2) servers in May 2025, the group pivoted into a compromised system streaming live CCTV feeds from Jerusalem. 

On June 23, Iran launched widespread missile attacks — and Israeli officials publicly warned that attackers were using hijacked security cameras to adjust targeting in real time.

How Cyber Intrusions Now Power Physical Strikes

Amazon’s researchers describe these operations as instances of cyber-enabled kinetic targeting, a more precise term than “hybrid warfare” or “cyber-kinetic attacks.” 

The defining factor: the digital intrusion exists specifically to support a physical strike.

These operations rely on layered technical infrastructure, including anonymizing VPNs to mask origin, dedicated attacker-controlled servers for persistent access, and compromised enterprise systems rich with intelligence value. 

Live data streams — such as camera feeds, vessel telemetry, or sensor data — allow threat actors to refine targeting with a level of precision not possible through traditional reconnaissance alone.

This convergence raises attribution stakes as well. When cyber operators directly enable kinetic attacks, responsibility spans cybersecurity, military, and diplomatic domains.

Hardening Real-Time Systems Against Exploitation

Amazon’s findings show that any system providing real-time visibility — from cameras to industrial sensors — can be weaponized if left exposed. 

The steps below outline how security teams can harden these systems and reduce the risk of cyber-to-kinetic exploitation.

• Harden internet-exposed systems — especially cameras, IoT devices, and OT platforms — and disable unnecessary remote access paths.
• Apply strict access controls and network segmentation to prevent lateral movement into sensitive telemetry or sensor systems.
• Use encrypted, authenticated communication protocols for all real-time visibility systems such as CCTV, AIS, and industrial sensors.
• Continuously monitor for abnormal outbound traffic, streaming behavior, or VPN-tunneled sessions that may indicate reconnaissance.
• Establish baselines and anomaly detection for OT, IoT, and sensor networks to quickly flag deviations from normal activity.
• Participate in intelligence-sharing communities to stay aware of emerging cyber-to-kinetic targeting patterns.
• Conduct red-team exercises and adopt zero-trust principles to validate defenses and limit how compromised systems can be used for physical targeting.

Building cyber resilience means assuming any connected system can be misused and layering defenses accordingly.

The New Reality of Cyber-Physical Warfare

Cyber-enabled kinetic targeting marks a decisive shift in how nation-state actors conduct conflict. 

Digital breaches are no longer just precursors to data theft or service disruption — they are becoming integral components of battlefield strategy. 

As global tensions rise and adversaries refine their techniques, organizations that once believed they had no geopolitical relevance may find their systems leveraged as tools of military intelligence.

As the boundaries between cyber and physical warfare continue to dissolve, defenders must assume that any compromised system could hold value far beyond their own environment — turning even routine intrusions into potential catalysts for real-world conflict.

This shifting threat landscape underscores why organizations must adopt a zero-trust approach, treating every user, device, and connection as untrusted until proven otherwise.