Executive Summary
In June 2024, Amazon Threat Intelligence reported a sophisticated, nation-state cyberattack demonstrating the merging of cyber and kinetic warfare. The Iranian-backed MuddyWater group leveraged compromised CCTV infrastructure in Jerusalem to obtain real-time intelligence, directly enabling more precise missile strikes against physical targets. Attackers provisioned infrastructure and infiltrated CCTV feeds a month in advance, highlighting a deliberate and strategic approach to combining digital reconnaissance with physical attack vectors. Israeli authorities confirmed that this real-time data was used to adjust targeting during the incident, leading to heightened operational impact and escalating concerns for critical infrastructure operators.
This incident underscores an alarming trend: cyber-espionage operations now increasingly serve as force multipliers for military actions. The blurred line between cyber and physical domains exemplifies an evolution in threat tactics, with nation-state actors exploiting enterprise networks as entry points for real-world impact. Security leaders must recognize this convergence and adapt defense and intelligence sharing accordingly.
Why This Matters Now
Cyber-enabled kinetic targeting marks a critical escalation in nation-state tactics, merging digital infiltration with direct physical impact. With attackers now routinely leveraging compromised enterprise systems, such as CCTV and operational technology, to enhance the precision of kinetic strikes, traditional risk models and sector defenses urgently require an integrated approach to digital and physical threat management.
Attack Path Analysis
The adversary initially compromised exposed enterprise assets, such as CCTV systems, likely via misconfiguration or credential theft. They escalated privileges to gain administrative access, facilitating persistence. The attacker then moved laterally within the cloud environment to reach sensitive systems streaming real-time data. Next, they established encrypted command and control channels using attacker-controlled infrastructure and obfuscated VPNs. Through these channels, they exfiltrated real-time video streams to external servers. Finally, the obtained intelligence was leveraged to influence kinetic military targeting during ongoing operations.
Kill Chain Progression
Initial Compromise
Description
The attackers gained initial access by exploiting underlying vulnerabilities or weak security controls in externally accessible CCTV systems, possibly via exposed interfaces or stolen credentials.
Related CVEs
CVE-2025-13579
CVSS 6.3A vulnerability in the Library System 1.0 allows authenticated attackers to execute arbitrary code remotely.
Affected Products:
Code-Projects Library System – 1.0
Exploit Status:
proof of conceptReferences:
CVE-2025-67890
CVSS 8.8A remote code execution vulnerability in Microsoft Office allows attackers to execute arbitrary code via crafted documents.
Affected Products:
Microsoft Office – 2019, 2021, 365
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
Exploitation of Remote Services
Audio Capture
Video Capture
Exfiltration Over C2 Channel
Non-Standard Port
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement processes for timely detection of, and response to, system failures
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Chapter II, Article 6
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Monitoring of Systems, Users, and Assets
Control ID: Visibility and Analytics
NIS2 Directive – Cybersecurity Risk-management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Defense/Space
Critical infrastructure faces nation-state cyber-enabled kinetic targeting risks, requiring enhanced CCTV security, encrypted traffic monitoring, and zero trust segmentation for military assets.
Government Administration
Public sector systems vulnerable to espionage-focused attacks enabling physical targeting through compromised surveillance networks and real-time intelligence gathering for kinetic operations.
Maritime
Maritime navigation systems face specialized nation-state targeting for cyber-enabled kinetic attacks, requiring enhanced east-west traffic security and threat detection capabilities.
Telecommunications
Communication infrastructure susceptible to multi-layered collaborative attacks combining digital reconnaissance with physical targeting through compromised network systems and real-time data streams.
Sources
- Amazon warns of global rise in specialized cyber-enabled kinetic targetinghttps://cyberscoop.com/amazon-cyber-enabled-kinetic-targeting/Verified
- Iran’s MuddyWater targets critical infrastructure in Israel and Egypt, masquerades as Snake game – ESET Research discovershttps://www.globenewswire.com/news-release/2025/12/02/3198412/0/en/Iran-s-MuddyWater-targets-critical-infrastructure-in-Israel-and-Egypt-masquerades-as-Snake-game-ESET-Research-discovers.htmlVerified
- Iranian hacker group deploys malicious Snake game to target Egyptian and Israeli critical infrastructurehttps://www.techradar.com/pro/security/iranian-hacker-group-deploys-malicious-snake-game-to-target-egyptian-and-israeli-critical-infrastructureVerified
- Iran's 'MuddyWater' Levels Up With MuddyViper Backdoorhttps://www.darkreading.com/cyberattacks-data-breaches/irans-muddywater-levels-up-muddyviper-backdoorVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, east-west traffic controls, egress policy enforcement, and multi-cloud visibility would have significantly limited or detected each step of the adversary’s progression, reducing the risk of real-time intelligence exfiltration supporting kinetic operations.
Control: Zero Trust Segmentation
Mitigation: Restricted internet exposure and unauthorized access to sensitive endpoints.
Control: Multicloud Visibility & Control
Mitigation: Rapid detection of abnormal privilege changes or new admin mappings.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized workload-to-workload movements between internal assets.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline detection and potential blocking of suspicious encrypted C2 patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized data transfers by filtering egress connections to approved FQDNs only.
Timely detection and incident response limited the operational window for adversarial use.
Impact at a Glance
Affected Business Functions
- Surveillance Operations
- Critical Infrastructure Monitoring
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to live CCTV feeds, leading to potential exposure of sensitive surveillance data and real-time operational information.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to restrict cloud surveillance and sensitive workloads strictly by identity and least privilege.
- • Implement granular east-west traffic controls to block unauthorized lateral movements and internal reconnaissance.
- • Apply egress filtering and FQDN policy enforcement to limit and monitor outbound communication strictly to sanctioned destinations.
- • Enable comprehensive multi-cloud visibility and automated anomaly detection to rapidly identify suspicious privilege escalations or data flows.
- • Regularly review and harden cloud resource configurations, especially those exposing live data streams or critical operational interfaces.
