What happened
Threat actors tied to Iran, operating under the name Imperial Kitten (also known as Tortoiseshell), were found to map data from a ship’s Automatic Identification System (AIS) between December 2021 and January 2024, according to security researchers. They gained access to AIS location data for a specific vessel and conducted targeted searches on January 27, 2024. Days later, that same vessel was struck in an unsuccessful missile attack allegedly carried out by Houthi militants.
In addition to AIS, the actors reportedly gained access to CCTV cameras on a maritime vessel, enabling them to obtain real-time visual intelligence.
Who is affected
- Maritime vessels and shipping infrastructure are directly implicated, especially AIS platforms and on-board camera systems.
- Logistics companies, port operators, and any business relying on maritime transport could be at risk.
- Supply chain and critical infrastructure stakeholders, given the potential for cyber-enabled kinetic targeting.
Why CISOs should care
- The incident highlights how cyber operations can be used not just for espionage or data theft, but to facilitate physical attacks on critical infrastructure, blending cyber threats with kinetic warfare.
- As noted by CJ Moses, CISO of Amazon Integrated Security, digital reconnaissance by nation-state actors poses novel threats to cyber-physical systems.
- Organizations that previously treated cyber risk and operational/physical risk in silos may now need to evolve their strategies toward integrated threat models.
3 Practical Actions for CISOs
- Map cyber-physical dependencies
- Inventory and assess systems where networked infrastructure intersects with operational or physical safety.
Engage with OT/ICS (operational technology/industrial control systems) teams to ensure visibility and network segmentation.
- Inventory and assess systems where networked infrastructure intersects with operational or physical safety.
- Monitor for reconnaissance behavior
- Deploy and tune threat-intelligence feeds to detect suspicious access to maritime systems or unusual data requests.
- Implement anomaly detection for AIS and CCTV data access patterns.
- Develop joint cyber and physical incident response plans
- Collaborate with maritime, logistic, and security operations teams to simulate cyber-enabled physical attack scenarios.
- Establish protocols for verifying integrity and access to navigational and sensor data, and ensure rapid escalation procedures.