Amazon’s threat intelligence findings reveal how Iran-linked hackers merge digital espionage with real-world attacks, signaling a new era of state-backed hybrid warfare.
A New Battlefield Without Borders
A new report from Amazon’s security intelligence division, published via Hacker News, reveals something far more alarming than routine cyber intrusions: the merging of Iran-backed hacking operations with real-world military targeting. This is not merely hacking for disruption or espionage. It is cyber warfare explicitly designed to support physical attacks—what Amazon calls “cyber-enabled kinetic targeting.”
For years, governments treated cyberspace and physical conflict as separate universes. But the report argues that this separation is now fiction. And if the findings are accurate, Iran’s intelligence services and affiliated militant groups have crossed a threshold that has serious implications for international security and commercial infrastructure.
Digital Reconnaissance as a Weapon
According to Amazon’s analysis, Iran-affiliated groups are no longer hacking only for intelligence—they are hacking to sharpen the targeting of missiles.
One example is Imperial Kitten (also known as Tortoiseshell), linked to the IRGC. Between late 2021 and early 2024, the group is assessed to have infiltrated maritime Automatic Identification System (AIS) platforms. These systems are essential for global shipping, safety, and logistics. Gaining access to them does not just expose data—it provides the kind of real-time visibility needed to direct a missile.
The group allegedly went beyond digital mapping. They reportedly gained access to CCTV cameras on a maritime vessel, giving them a direct view of ship operations. Days after conducting targeted searches for AIS data on a specific vessel, that same ship was attacked by Houthi militants in a missile strike attempt.
This is not coincidence. It is coordination.
The Red Sea Attacks: Cyber Meets Missiles
The broader context matters: Houthi forces, backed by Tehran, have intensified missile attacks on commercial shipping in the Red Sea. While Iran’s regime tries to maintain plausible deniability, the pipeline between Iranian cyber units and proxy militant groups appears increasingly visible.
If digital reconnaissance can guide missiles, then cyber intrusions are no longer “low-risk.” They become a battlefield weapon—and global supply chains become targets.
Targeting Jerusalem Through Live Cameras
Another Iran-linked operation cited in the report involves MuddyWater, tied to Iran regime’s Ministry of Intelligence and Security (MOIS). In mid-2025, the group reportedly compromised servers containing live CCTV feeds from Jerusalem. This wasn’t passive surveillance. Amazon says the hackers sought real-time visual intelligence of potential targets.
Around the same period, Iran launched widespread missile attacks on the city. Israel’s National Cyber Directorate publicly confirmed attempts by Iranian actors to connect to civilian and municipal cameras “to understand what happened and where their missiles hit.”
The regime was reportedly using live video feeds to calibrate its missile accuracy.
This marks a deeply unsettling evolution: a state actor refining its military strikes using hacked civilian infrastructure.
The Strategic Shift: Hybrid Warfare Is Here
What makes these developments dangerous is not just the sophistication of the operations, but their strategic intention.
Iran’s cyber units appear to be moving from espionage to battlefield support, embedding themselves within the targeting cycle of missile warfare. This blurring of lines is not accidental—it is tactical.
As Amazon’s security team puts it, combining digital reconnaissance with kinetic attacks is a “force multiplier.” It allows a regime to extend its reach while attempting to mask its fingerprints behind VPNs, proxies, and third-party militias.
For governments and the private sector alike, this means traditional cybersecurity frameworks are now outdated. A hacked camera is no longer merely a privacy breach; it may be part of a missile-guidance operation.
What This Means for the World
Iran’s approach, as outlined in the report, portends a future where:
- Commercial vessels become military targets enabled by hacked infrastructure
- Civilian cameras can be exploited to refine battlefield accuracy
- Proxy militants gain operational intelligence from state-backed cyber units
- Cyber intrusions become precursors to physical attacks
This hybrid strategy threatens not only the Middle East but global commerce itself. The Red Sea and Persian Gulf remain vital arteries of the world economy. If ships are at risk because hackers aligned with a government can track them in real time, then global shipping—already strained by geopolitical conflict—faces unprecedented danger.
A Warning That Cannot Be Ignored
The Amazon report should be read as a warning: Iran’s cyber strategy is shifting from sabotage to battlefield enablement. And while other authoritarian states pursue similar trajectories, Iran’s integration of cyber operations with proxy warfare places it at the forefront of a perilous new era.
The international community must recognize that hybrid warfare is not theoretical. It is happening—in real time, across multiple domains, with potentially devastating consequences.
