When Cyber Reconnaissance Enables Kinetic Warfare: What OT Security Leaders Must Know

Protecting critical infrastructure from cyber threats is no longer just about preventing operational disruption or data theft. In some cases, it's about preventing your systems from becoming intelligence assets that enable physical military strikes. Recent findings from Amazon Threat Intelligence reveal a disturbing evolution in nation-state tactics: adversaries are systematically compromising operational technology systems not to damage them directly, but to gather real-time intelligence that guides missile targeting and kinetic military operations.

This represents a fundamental shift that demands immediate attention from OT security professionals across water systems, manufacturing facilities, maritime operations, and critical infrastructure. The convergence of cyber and kinetic warfare is no longer theoretical. it's actively unfolding, and the organizations most at risk may not be those traditionally considered high-value targets.

The emergence of cyber-enabled kinetic targeting

Amazon Threat Intelligence has documented what they term "cyber-enabled kinetic targeting", or in other words, coordinated campaigns where digital operations are specifically designed to support physical military objectives. This goes beyond traditional cyber-physical attacks that cause system damage; instead, adversaries exploit OT and IoT systems as persistent surveillance platforms that feed actionable intelligence directly into kinetic strike planning.

Two documented campaigns illustrate the scope and sophistication of this threat. In the first case, threat actors linked to Iran's Islamic Revolutionary Guard Corps maintained access to maritime vessel systems for over two years, culminating in a targeted missile strike. The operation began in December 2021 when the Imperial Kitten group compromised a vessel's Automatic Identification System platform. By August 2022, they had expanded to CCTV cameras aboard maritime vessels, providing real-time visual intelligence. On January 27, 2024, the actors conducted targeted searches for AIS location data on a specific vessel. Five days later, on February 1, 2024, Houthi forces launched a missile strike against that exact vessel; a correlation Amazon describes as "unmistakable."

The second case demonstrates even tighter integration between cyber operations and kinetic warfare. In May 2025, the MuddyWater threat group (attributed to Iran's Ministry of Intelligence and Security) provisioned infrastructure specifically for accessing compromised CCTV systems in Jerusalem. On June 17 2025, they gained access to live surveillance feeds throughout the city. Six days later, Iran launched widespread missile attacks against Jerusalem, with Israeli authorities confirming that Iranian forces were exploiting compromised security cameras to gather real-time intelligence and adjust missile targeting. Officials urged citizens to disconnect internet-connected cameras specifically because adversaries were using them to assess strike impact and improve accuracy.

Why traditional OT security models are insufficient

These campaigns expose critical vulnerabilities in how organizations conceptualize OT security threats. Traditional risk assessments usually focus on direct consequences like will a cyber attack shut down our operations, compromise our safety systems, or steal our intellectual property? These remain valid concerns, but they represent an incomplete threat model.

The Amazon findings reveal that adversaries value OT systems for their intelligence potential as much as their operational disruption potential. A shipping company's AIS platform, a facility's internet-connected building management system, or a manufacturing plant's surveillance network may not seem like attractive targets under conventional threat models. Yet these systems provide precisely the tactical intelligence nation-state actors need: location data, real-time visual confirmation, operational patterns, and supply chain movements. Think Russia targeting Ukrainian critical infrastructure during the Ukraine war.

This shift has profound implications for threat modeling across critical infrastructure sectors. Water utilities operating SCADA systems connected to supervisory networks must consider not just the risk of process manipulation, but whether compromised systems could provide intelligence about facility locations, operational status, or response capabilities during conflict. Manufacturing facilities with internet-connected production monitoring systems face similar exposure; not because adversaries want to disrupt production, but because these systems reveal operational rhythms, supply chain logistics, and facility capabilities.

The timeline of these campaigns is equally concerning. The Imperial Kitten operation maintained access for hundreds of days before the kinetic strike occurred. This isn't smash-and-grab cybercrime; it's patient, persistent intelligence gathering that integrates seamlessly with long-term strategic planning. Traditional detection methods focused on immediate exploitation may completely miss campaigns designed for intelligence value rather than operational impact.

Critical infrastructure at the convergence point

The convergence of IT and OT security takes on new urgency in this threat landscape. Many critical infrastructure organizations have worked to segment OT networks from IT networks, implementing air gaps and strict access controls to protect operational systems. These remain essential security practices, but they don't address systems that legitimately connect to the internet for operational purposes such as building automation systems, remote monitoring platforms, cloud-connected sensors, and increasingly, IIoT devices throughout industrial environments.

Water and wastewater facilities face particularly acute exposure. Many operate geographically distributed assets monitored through SCADA networks and internet-connected sensors. A compromised HMI or remote terminal unit could provide adversaries with real-time status information about water treatment processes, reservoir levels, or distribution system operations; all of which turns into intelligence valuable for both targeting and impact assessment in kinetic operations. The Amazon findings suggest adversaries may also pursue persistent access purely for intelligence purposes.

Manufacturing operations integrating smart factory technologies and remote monitoring capabilities similarly expand their attack surface in ways traditional OT security frameworks don't fully address. Industry 4.0 initiatives that connect production equipment, quality monitoring systems, and logistics platforms to enterprise networks and cloud services create intelligence-rich environments. An adversary gaining access to these systems doesn't need to manipulate PLCs or disrupt production to achieve strategic value. Simply monitoring production schedules, supply chain data, and facility operations provides actionable intelligence.

Maritime and port operations represent another convergence point explicitly targeted in documented campaigns. AIS systems, vessel tracking platforms, port management systems, and logistics networks all contain information valuable for kinetic targeting. Port facilities handling critical cargo (e.g. military equipment, energy resources, or essential commodities) must recognize that their operational technology and logistics systems represent high-value intelligence targets during periods of geopolitical tension.

A refined OT defense paradigm: Adapting security strategy for dual-domain threats

Defending against cyber-enabled kinetic targeting requires expanding security programs beyond traditional OT protection measures. Organizations must now  implement what Amazon's Chief Information Security Officer CJ Moses describes as intentional integration of physical and logical security, a practice that remains uncommon despite growing necessity.

The Amazon Threat Intelligence findings represent more than newly documented threat actor campaigns. They reveal a fundamental evolution in how adversaries conceptualize and execute operations across cyber and physical domains. For OT security professionals, this evolution demands corresponding changes in defensive strategy.

Organizations operating critical infrastructure can no longer evaluate cyber risk purely through the lens of operational impact. Systems that provide intelligence value (e.g. surveillance networks, location tracking platforms, operational monitoring systems, and supply chain management tools) require protection to address their risk potential to enable kinetic targeting. This reality extends risk beyond traditional critical infrastructure to any organization operating systems that could provide tactical intelligence during geopolitical conflict.

The technical challenges are significant, and there is no magic wand to solve everything instantly. Unraveling the complex interrelations between physical and digital domains requires sustained effort. However, organizations that fail to view threats holistically across both domains risk missing critical exposures until those exposures are exploited not just for cyber espionage, but to enable physical attacks against themselves or others.

The convergence of cyber reconnaissance and kinetic warfare may be accelerating, with multiple nation-state adversaries adopting similar approaches. OT security leaders who adapt their programs now by expanding threat models, integrating physical-digital security coordination, and implementing intelligence-aware defensive measures, will position their organizations to detect and respond to these sophisticated, patient campaigns before they achieve their ultimate objective: turning operational technology into targeting intelligence.

About RubyComm:

RubyComm delivers tailored operational technology cybersecurity solutions designed specifically for the unique challenges of industrial and critical infrastructure environments faced by organizations of all sizes. Unlike one-size-fits-all security products, RubyComm addresses the specific operational constraints, legacy system challenges, and complex integration requirements that conventional off the shelf solutions cannot adequately address. Our approach maintains operational efficiency and business continuity while providing comprehensive protection against sophisticated OT-specific threats.