This threat involves Iranian state-affiliated hacking groups, notably Imperial Kitten (linked to the IRGC) and MuddyWater (linked to Iran's Ministry of Intelligence and Security), conducting cyber reconnaissance operations targeting maritime infrastructure to enable physical missile attacks. Between December 2021 and January 2024, Imperial Kitten targeted Automatic Identification System (AIS) platforms used by ships to track vessel locations and movements. They also gained access to live CCTV feeds on maritime vessels, providing real-time visual intelligence. On January 27, 2024, Imperial Kitten performed targeted searches for AIS data on a specific vessel, which was subsequently targeted by an unsuccessful missile strike by Iranian-backed Houthi militants in the Red Sea. Similarly, MuddyWater established cyber infrastructure in May 2025 and accessed live CCTV streams from Jerusalem in June 2025 to gather intelligence ahead of missile attacks on Israeli cities. These cyber operations are part of a broader trend Amazon calls cyber-enabled kinetic targeting, where digital espionage directly supports physical military objectives. The threat actors used anonymizing VPNs to mask their activities, complicating detection and attribution. This represents an evolution in warfare, merging cyber and kinetic domains, and highlights the risk to critical maritime commerce and military logistics infrastructure. The attacks underscore the need for integrated cyber and physical security strategies to defend against such multi-domain threats.

The primary impact of this threat on European organizations lies in the potential compromise of maritime infrastructure and shipping operations, which are vital to European economies. Unauthorized access to AIS data and vessel CCTV can enable adversaries to track and target commercial shipping, potentially leading to physical attacks that disrupt supply chains and cause economic damage. European ports, shipping companies, and maritime logistics providers could face increased risks of espionage, sabotage, or collateral damage from regional conflicts involving Iranian-backed actors. Additionally, the use of cyber reconnaissance to facilitate kinetic attacks blurs traditional security boundaries, requiring European organizations to consider physical security implications of cyber intrusions. The threat also raises concerns for European nations involved in geopolitical tensions in the Middle East or reliant on shipping routes passing through vulnerable regions like the Red Sea. Disruption to maritime commerce could have cascading effects on trade, energy supplies, and military logistics. Furthermore, the use of anonymizing VPNs by attackers complicates attribution and response efforts, increasing the challenge for European cybersecurity and intelligence agencies.

European maritime and critical infrastructure operators should implement multi-layered defenses tailored to cyber-enabled kinetic threats. Specific recommendations include: 1) Enhance monitoring and anomaly detection on AIS data access and queries to identify suspicious reconnaissance activities. 2) Secure maritime vessel networks, including CCTV and other IoT devices, by enforcing strong authentication, network segmentation, and regular firmware updates. 3) Integrate cyber and physical security teams to share intelligence and coordinate responses to threats that span digital and kinetic domains. 4) Employ threat intelligence feeds focused on Iranian-linked groups and their tactics to proactively detect indicators of compromise. 5) Harden VPN and anonymization detection capabilities to identify and block malicious traffic attempting to obscure attacker origins. 6) Conduct regular security audits and penetration testing of maritime systems to identify and remediate vulnerabilities. 7) Collaborate with international partners and maritime authorities to share information on emerging threats and coordinate defense strategies. 8) Develop incident response plans that consider the potential for cyber intrusions to precede physical attacks, ensuring rapid and coordinated action. 9) Train personnel on recognizing and reporting suspicious cyber activities related to maritime operations. 10) Advocate for enhanced regulatory standards and compliance frameworks addressing cyber-physical security in the maritime sector.