Iran Exploits Cyber Domain to Aid Kinetic Strikes - Dark Reading

THREAT INTELLIGENCE CYBER RISK CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Iran Exploits Cyber Domain to Aid Kinetic Strikes The country deploys "cyber-enabled kinetic targeting" prior to — and following — real-world missile attacks against ships and land-based targets. Robert Lemos,Contributing Writer November 26, 2025 4 Min Read SOURCE: SKORZEWIAK VIA SHUTTERSTOCK Iranian advanced persistent threat (APT) groups have used cyberattacks for scoping out targets ahead of real-world attacks to improve operations and following kinetic strikes to assess damage, making Iran the latest nation to blend cyberattacks and military operations, according to cyber-conflict experts. In a Nov. 19 analysis, Amazon used data from its vast cloud network to connect the dots between cyber events and military operations, highlighting two cases where Iran used cyberattacks to gain reconnaissance into real world targets — hacking ship systems before a missile attack and compromising CCTV cameras in Israel before and during missile attacks on Jerusalem. The threat actors used VPN networks, dedicated server infrastructure, and compromised corporate systems to construct their attack infrastructure. Calling the strategy "a fundamental shift in how nation-state actors approach warfare," Amazon researchers termed the approach "cyber-enabled kinetic targeting." Related:China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years "Traditional cybersecurity frameworks often treat digital and physical threats as separate domains, [but] research by Amazon demonstrates that this separation is increasingly artificial," the researchers stated in the analysis. "Multiple nation-state threat groups are pioneering a new operational model where cyber reconnaissance directly enables kinetic targeting." Amazon is not the only company to warn of these attacks, and Iran is not the only country known to use them. Most Iranian groups are likely trying to compromise devices to provide "on the ground" intelligence for Iran's military, says Sergey Shykevich, threat intelligence group manager for cybersecurity firm Check Point Software. During the 12-day war this past June, exploitation of vulnerabilities in IP cameras in Israel jumped by 15 times, he says. "We know that most of that was connected to specific Iranian groups," Shykevich says. "We definitely saw sharp increase in targeting of cameras in Israel." Putting the Pieces Together While other countries are likely using the same tactics, Amazon gained visibility into Iranian activities because of its in-depth view across its network and those of its customers. Amazon threat intelligence researchers used telemetry from honeypot systems to gain visibility into suspicious patterns, threat actors' infrastructure, and the topologies of command-and-control networks. Opt-in customer data and intelligence sharing from industry partners provided additional pieces that could be used to assemble the rest of the puzzle. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania In one case, the researchers detected when Imperial Kitten, a group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), compromised the Automatic Identification System (AIS) platform for different maritime vessels, starting in December 2021. In some cases, the attackers gained access to CCTV cameras aboard the vessels. The activity continued, and in January 2024, the attackers focused on a specific vessel. Five days later, Houthi forces targeted the ship with a missile strike, which "was ultimately ineffective," the Amazon researchers stated in the analysis. "This case demonstrates how cyber operations can provide adversaries with the precise intelligence needed to conduct targeted physical attacks against maritime infrastructure — a critical component of global commerce and military logistics," the threat researchers stated. In a second incident, the researchers tracked the attempts by MuddyWater, a group linked to Iran's Ministry of Intelligence and Security (MOIS), to use livestreams from compromised CCTV servers in Jerusalem to help targeting and damage assessment from a broad missile strike against the city. Amazon separated these cyber-enabled kinetic targeting from other blended forms of military operations, such as hybrid warfare — a term that is too broad — and cyber-kinetic operations — which usually applies to cyberattacks that cause real-world damage, the company's researchers said. Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years Blended Warfare Other countries use cyber-enabled targeting, but likely not to the extent that Iran has or will. In Russia's invasion of Ukraine, "there was no statistically significant difference in targeting before and after the invasion," according to a paper on the Russo-Ukrainian war published by the Center of International and Strategic Studies (CSIS) in July 2023. "The utility of cyber operations rests in setting conditions and intelligence more than in direct application during large-scale combat operations," the paper stated. "While cyber-enabled targeting supports combat, the data shows that larger cyber campaigns do not radically shift during wartime." However, Iran has increasingly found itself isolated with fewer proxies willing to take action outside of its borders, says Alexis Rapin, a cyber-threat analyst with cybersecurity firm ESET. Israel's attacks on Hezbollah in Lebanon has weakened those allies of Iran, while the country had to pull forces out of Syria. As Iran continues to reinforce its network of proxies, cyber reconnaissance and espionage allows action-at-a-distance, he says. "Cyber could be an alternative to compensate for this loss of visibility on the ground and, for instance, the loss of human [intelligence] sources," he says. "One of the added values of cyber espionage is that ... it enables near real-time monitoring of the situation." Seeking those and other benefits, Iran will keep experimenting with what cyber can achieve, Rapin says. Read more about: DR Global Middle East & Africa About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Human Digital Twins Could Give Attackers a Dangerous Advantage by Arielle Waldman JUL 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Nation-State Threats Put SMBs in Their Sights by Robert Lemos, Contributing Writer APR 21, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE