Iran-Linked Hackers Used AIS Data to Track Ship Days Before Missile Strike Attempt

Iran-linked hackers carried out a detailed digital reconnaissance on a commercial ship just days before a real-world missile strike attempt. Security researchers revealed that these hackers mapped the vessel’s AIS data and even accessed its onboard cameras. This activity happened shortly before the physical attack. Experts say the timing shows the cyber actions were connected to the strike.

The investigation was led by Amazon’s Integrated Security team. They described this operation as “cyber-enabled kinetic targeting,” meaning cyber activities were used to support a physical military attack. This marks a major shift in how modern warfare is being carried out. Digital intelligence is now directly feeding real-world violence.

One of the groups involved is known as Imperial Kitten, also called Tortoiseshell. This group is believed to be linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). Their activity included monitoring AIS data of a specific vessel between December 2021 and January 2024. This surveillance helped them understand the ship’s movement in detail.

On January 27, 2024, the attackers reportedly searched specifically for the location of the targeted ship using AIS platforms. Just a few days later, on February 1, 2024, the same ship was targeted by missiles launched by Iran-backed Houthi militants. The close timing between these events shows clear coordination. It highlights how digital tracking supported the real attack.

Researchers also found that the hackers gained access to the vessel’s CCTV camera feeds. This gave them real-time visuals of the ship. Such access could improve the accuracy of physical strikes. It also reveals how vulnerable onboard systems have become.

Another case in the report involved a different Iran-linked group called MuddyWater. In May 2025, this group set up cyber infrastructure used for surveillance. By June, they had accessed servers streaming live CCTV footage from Jerusalem. Days later, Iran launched missile strikes on June 23, 2025.

Both cases demonstrate the same pattern: cyber reconnaissance happens first, and physical attacks follow shortly after. Researchers emphasize that this is not accidental. The digital activity is intentionally carried out to support military operations. It shows a growing blend of cyberwarfare and physical conflict.

Experts warn that maritime systems like AIS and ship cameras must be better protected. These technologies, once seen as safe and routine, can now be weaponised. Governments and maritime operators are being urged to verify tracking data and secure onboard systems. The line between cyber threats and physical attacks is becoming thinner than ever.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news