Threat Actors Evolve: A Unified Operational Model Integrating Digital and Physical Threats

In a rapidly evolving digital landscape, Amazon’s threat intelligence teams have made a startling revelation that intertwines digital operations with physical warfare. This emerging trend, known as “cyber-enabled kinetic targeting,” shifts the paradigm of warfare by employing cyber operations to not just disrupt but actively bolster and inform physical military actions. The implications of this model are profound, raising important questions about national security in our increasingly interconnected world.

The findings were unveiled by Amazon researchers during the thought-provoking CYBERWARCON 2025 conference, where it became evident that the long-standing separation between cyber warfare and traditional military operations is becoming increasingly blurred. As tech-savvy adversaries adapt their strategies, the distinctions that once guided defense protocols may no longer be effective.

This new model transcends the familiar territory of conventional cyberattacks, which typically aim at causing digital disruptions or engaging in espionage. Instead, these cyber-enabled campaigns are meticulously structured to serve tangible physical objectives. The research sheds light on how nation-state actors, particularly those associated with Iran’s military and intelligence infrastructure, are at the forefront of this unsettling trend.

Amazon’s Unique Threat Visibility

Amazon’s formidable threat intelligence capabilities come from its vast cloud infrastructure, which generates unparalleled telemetry. The company utilizes an in-house honeypot network known as MadPot to collect critical data on the behavior of malicious actors, their infrastructure usage, and the flow of traffic linked to suspicious operations. This wealth of information, coupled with opt-in customer data and intelligence-sharing partnerships across various sectors, empowers analysts to draw connections between cyber activities and real-world military engagements.

One notable example comes from a group dubbed Imperial Kitten, believed to operate under the auspices of Iran’s Islamic Revolutionary Guard Corps. This group initiated activities in late 2021 aimed at compromising maritime systems. They first infiltrated Automatic Identification System (AIS) platforms and subsequently gained access to vessel CCTV feeds, providing them with the capability to monitor ship movements live. By early 2024, they were operationally scouring for specific vessels, and just days later, Houthi forces launched a missile at one of those targeted ships. While the attack ultimately failed, it starkly illustrated how digital reconnaissance facilitated and informed real-world military targeting.

Cyber Operations Fuel Real-World Attacks

A parallel operation involving the Iranian-aligned group MuddyWater further exemplifies the direct link between cyber operations and physical attacks. In May 2025, MuddyWater established dedicated server infrastructure aimed at intelligence gathering. Shortly thereafter, they accessed compromised CCTV systems across Jerusalem, enabling Iranian forces to exploit live feeds to adjust missile trajectories during a barrage of attacks on June 23, 2025. Reports indicated that these forces were using real-time video to refine their targeting, showcasing an alarming convergence of cyber intelligence with kinetic military action.

Amazon’s researchers stress that these increasingly sophisticated operations hinge on elements such as actor-controlled servers, anonymizing VPN networks, and the real-time streaming of data from compromised systems. This fusion of cyber and kinetic domains poses significant challenges for conventional defense frameworks, calling for a reevaluation of existing security measures.

Experts warn that organizations managing critical infrastructure—particularly in maritime, urban surveillance, and logistics sectors—must urgently reassess their threat models. The immediacy of physical repercussions stemming from cyber intrusions underscores the necessity for heightened vigilance. Intelligence sharing, cross-sector collaboration, and strategically integrated defensive planning are essential to mitigate the risks associated with these cyber-enabled kinetic targeting campaigns, marking a significant shift in how security professionals must approach their roles.

Indicators of Compromise

Organizations must be vigilant for various indicators of compromise (IOCs) as they relate to these emerging threats. Here are some critical values identified by Amazon’s research:

IOC Value: 18[.]219.14.54, IOC Type: IPv4, First Seen: 2025-05-13, Last Seen: 2025-06-17, Annotation: MuddyWater Command and Control IP address.

IOC Value: 85[.]239.63.179, IOC Type: IPv4, First Seen: 2023-08-13, Last Seen: 2025-09-19, Annotation: Imperial Kitten proxy IP address.

IOC Value: 37[.]120.233.84, IOC Type: IPv4, First Seen: 2021-01-01, Last Seen: 2022-11-01, Annotation: Imperial Kitten proxy IP address.

IOC Value: 95[.]179.207.105, IOC Type: IPv4, First Seen: 2020-11-11, Last Seen: 2022-04-09, Annotation: Imperial Kitten proxy IP address.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates