Threat Actors Pioneering a New Operational Model That Combines Digital and Physical Threats

Nation-state actors are fundamentally changing how they conduct military operations. The boundary between digital attacks and physical warfare is disappearing rapidly.

Instead of treating cybersecurity and military operations as separate activities, hostile nations are now blending them together in coordinated campaigns.

These new attacks start with digital operations designed specifically to gather information that enables physical military strikes.

This represents a major shift in global security threats that organizations worldwide need to understand and prepare for.

The traditional approach to security treats digital threats and physical dangers as completely separate problems.

Cybersecurity teams focus on networks and systems, while military and physical security teams handle different concerns.

However, recent investigations reveal that this separation no longer exists in the real world. Nation-state threat groups are connecting cyber reconnaissance directly to kinetic targeting, creating a unified attack strategy that is far more dangerous than traditional cyberattacks alone.

AWS security analysts identified this trend after observing multiple coordinated campaigns across different critical infrastructure sectors.

They discovered that threat actors are methodically using cyber operations to gather real-time intelligence that directly supports military targeting decisions.

This finding comes from AWS’s unique ability to monitor cloud operations globally, analyze honeypot data that captures attacker behavior, and collaborate with enterprise customers and government agencies to validate observed threats.

Technical Infrastructure Reveals Sophisticated Coordination

The technical methods these threat actors employ show impressive coordination and planning. They use multiple layers of security tools to hide their true locations, starting with anonymizing VPN networks that obscure their origins and make attribution challenging.

They establish dedicated servers under their control to maintain persistent access and command capabilities. Once they compromise enterprise systems hosting critical infrastructure like security cameras or maritime platforms, they establish real-time data streaming channels.

These live feeds from compromised cameras and sensors provide actionable intelligence that threat actors can use to adjust targeting decisions in near real time.

One clear example involved Imperial Kitten, a threat group linked to Iran’s Revolutionary Guard. They compromised maritime vessel systems starting in December 2021, gained access to onboard CCTV cameras by August 2022, then conducted targeted searches for specific ship locations in January 2024.

Just weeks later, in February 2024, missile strikes targeted the exact vessel they had been tracking, correlating cyber reconnaissance directly with kinetic attacks.

A second case involved MuddyWater, another Iranian threat group, using compromised security cameras in Jerusalem to gather real-time intelligence before missile attacks in June 2025.

This demonstrates how cyber operations and physical military actions now operate as unified strategies rather than separate threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.