Maritime and Shipping Sector: Cyber Threat Intelligence Report

The forward-looking risk picture for the next 12–24 months is defined by three converging trends. First, the autonomous vessel attack surface is expanding as Maritime Autonomous Surface Ship (MASS) technologies move from pilot programs to limited commercial deployment, introducing remote command injection and sensor spoofing risks that lack established mitigation frameworks. Second, the regulatory landscape is tightening simultaneously across multiple jurisdictions—IMO, EU NIS2, IACS UR E26/E27, and the proposed USCG MTSA cybersecurity rule—creating compliance pressure that will expose organizations that have treated cyber risk management as a documentation exercise rather than an operational capability. Third, the geopolitical weaponization of maritime chokepoints—demonstrated by Houthi Red Sea operations and Russian Black Sea mine and electronic warfare campaigns—is normalizing the use of cyber capabilities as instruments of maritime coercion, lowering the threshold for state-sponsored disruption of commercial shipping.

The Maritime Cyber Threat Landscape: Strategic Context

Economic Significance and Chokepoint Dependency

The scale of the global maritime economy extends well beyond the commonly cited 90% volume figure. UNCTAD’s 2024 Review of Maritime Transport reports that seaborne trade reached 12.3 billion tonnes in 2023, with container trade accounting for approximately 1.85 billion tonnes across an estimated 250 million TEU movements. The containerized segment alone underpins approximately $7.6 trillion in cargo value, while bulk commodities (crude oil, iron ore, coal, grain) account for the remainder of seaborne trade value. Global port throughput exceeded 860 million TEUs in 2023 across roughly 5,400 commercial ports, with the top 20 container ports (dominated by Chinese and Southeast Asian facilities) handling over 40% of global container volume.

The dependency on maritime chokepoints concentrates this economic value into geographic corridors where disruption cascades with disproportionate speed and magnitude. Approximately 21 million barrels per day (21% of global oil consumption) transit the Strait of Hormuz, making it the single most economically consequential maritime corridor on Earth. The Strait of Malacca carries roughly 25% of global maritime trade by value and one-third of seaborne oil. The Suez Canal, prior to Houthi-driven rerouting, facilitated approximately 12–15% of global trade with an estimated $9.5 billion in cargo transiting daily. The Panama Canal handles approximately 5% of global seaborne trade, with drought-induced restrictions in 2023–2024 demonstrating the GDP-level consequences of canal capacity constraints. Cyber disruption at any of these chokepoints—whether through vessel traffic service compromise, port terminal shutdown, or coordinated vessel navigation system attacks—would trigger a cascading economic model: vessel delay compounds into port congestion, which amplifies into supply chain disruption at a 5–15x cost multiplier, which in turn registers as measurable GDP impact within days for trade-dependent economies.

Attack Surface Taxonomy

The maritime cyber attack surface must be understood across four interconnected domains, each with distinct technologies, protocols, access vectors, and consequence profiles.

Vessel Domain. The vessel attack surface encompasses five subsystems. Navigation systems include ECDIS (running on Windows Embedded or Linux, processing S-57/S-63 electronic navigational charts), GPS/GNSS receivers (single- and multi-constellation), AIS transponders (broadcasting unencrypted/unauthenticated VHF signals), and radar (increasingly software-defined with ARPA/chart overlay integration). Propulsion and machinery includes engine management systems with PLCs controlling fuel injection timing, turbocharger parameters, and emissions monitoring; scrubber control systems mandated by IMO 2020 sulfur regulations; and ballast water treatment systems added under the BWM Convention. Cargo systems include container tracking, reefer container monitoring (remote temperature/atmosphere management for 4–6 million refrigerated containers globally), tank level monitoring on tankers, and loading computer stability calculations. Communications include Ku/Ka-band VSAT (Inmarsat Fleet Xpress, SES mPOWER, Starlink Maritime), L-band safety communications (Inmarsat-C, Iridium GMDSS), VHF/DSC for short-range voice and distress, and increasingly, 4G/5G cellular connectivity in coastal waters. Crew systems include welfare WiFi networks, personal device access, and entertainment systems that frequently share physical network infrastructure with operational systems.

Port Domain. Terminal Operating Systems (TOS) manage berth allocation, container stowage planning, yard management, equipment dispatch, gate operations, and intermodal coordination. Crane control systems (STS gantry cranes, ASCs, RTGs) operate on industrial networks using PROFINET, Modbus TCP, and proprietary protocols. Automated Guided Vehicles (AGVs) and Automated Straddle Carriers communicate via industrial WiFi or dedicated radio. Gate automation (OCR license plate and container number recognition, radiation portal monitors, weigh bridges) integrates with customs and border protection systems. Port community systems (PCS) provide the single-window data exchange platform connecting shipping lines, freight forwarders, customs brokers, terminal operators, and government agencies. CCTV, physical access control, and perimeter security systems operate on converged IP networks.

Shore-Side Domain. Fleet management platforms (crew management, maintenance planning, procurement, regulatory compliance tracking), commercial operations (chartering, freight booking, demurrage management), financial systems (trade finance, letters of credit, cargo insurance), and corporate IT (email, ERP, HR) constitute the shore-side enterprise environment. These systems maintain persistent connectivity to vessel and port systems via VSAT, API integrations, and cloud platforms.

Supply Chain Domain. Software vendors (TOS developers, ECDIS manufacturers, fleet management providers), classification societies (Lloyd’s Register, DNV, Bureau Veritas, ClassNK, ABS, RINA), chart data providers (national hydrographic offices, PRIMAR, IC-ENC), VSAT/communication service providers, and third-party service engineers who connect maintenance laptops directly to vessel OT networks during port calls collectively constitute an extended supply chain with privileged access to maritime critical systems.

Digitalization Timeline and Attack Surface Expansion

Phase 1: Isolated Vessel Systems (pre-2010). Bridge and engine room equipment operated as standalone systems with no network connectivity. Chart updates arrived on physical media via chart agents. Attack vectors were limited to physical access and insider threat. The attack surface was minimal but so was operational efficiency.

Phase 2: Satellite-Connected Vessels (2010–2018). The adoption of broadband VSAT (initially Ku-band at 1–4 Mbps) connected vessels to shore-side networks for the first time at scale. Fleet management platforms, performance monitoring, and remote diagnostics became standard. This phase introduced the vessel as a network endpoint reachable from the internet, but bandwidth constraints limited the data flows and, consequently, the attack surface. The Maersk/NotPetya incident (2017) occurred at the transition point of this phase, propagating through shore-side IT infrastructure to port OT systems.

Phase 3: Cloud-Integrated Fleet Management (2018–2023). Ka-band VSAT (Fleet Xpress, providing 10–50 Mbps) and the emergence of Starlink Maritime (100+ Mbps, low latency) enabled real-time cloud integration. IoT sensor deployments aboard vessels multiplied. Performance optimization, weather routing, and regulatory reporting moved to cloud platforms. TOS systems migrated from on-premise to hybrid and cloud deployments. This phase dramatically expanded the attack surface: persistent high-bandwidth connectivity transformed the vessel from an occasionally connected endpoint to a continuously exposed network segment, while cloud dependencies introduced new trust relationships with SaaS providers.

Phase 4: Autonomous Vessel Programs (2023–present). MASS programs, shore-based remote operation centers, AI-driven navigation, and autonomous port equipment are introducing software-defined control of vessel movement. The Yara Birkeland (autonomous electric container ship in Norway), the NYK-MTI autonomous ship trials in Japan, and multiple Chinese autonomous vessel deployments in the Pearl River Delta are moving from demonstration to limited commercial operation. Each requires shore control center connectivity, sensor fusion (LiDAR, camera, radar, AIS), and machine learning inference systems that introduce entirely new attack surface categories: sensor spoofing, model poisoning, and remote command injection.

Historical Incident Analysis: The Empirical Evidence Base

This section constitutes the most comprehensive public catalogue of documented maritime cyber incidents. For each incident, the record includes date, target, attack type, attributed actor where known, technical vector, operational impact, duration, estimated financial impact, and assessed lessons. The pattern that emerges is unambiguous: the frequency, sophistication, and operational consequence of maritime cyber incidents have escalated on an exponential trajectory since 2017.

Defining Incidents (2017–2021)

Maersk / NotPetya — June 27, 2017. The NotPetya destructive wiper, attributed to Russian GRU Sandworm (Unit 74455), propagated through the Ukrainian tax software MEDoc via a compromised software update mechanism and reached Maersk’s global IT infrastructure through a single infected machine at the company’s Odesa office. Within seven hours, the malware had encrypted or destroyed systems across Maersk’s entire IT estate: 45,000 PCs, over 4,000 servers, and 2,500 applications across 600 sites in 130 countries. APM Terminals, Maersk’s port operations subsidiary, halted operations at 76 terminals worldwide. The recovery was enabled by a single surviving Active Directory domain controller at a remote Maersk office in West Africa—preserved only because a power outage had taken the machine offline during the propagation window. Maersk rebuilt its entire IT infrastructure in 10 days, re-imaging 45,000 PCs and 4,000 servers in what remains the largest enterprise IT rebuild operation ever conducted. Maersk’s disclosed direct cost was $250–$300 million. The White House assessed global NotPetya damages at $10 billion+, with downstream supply chain disruption across dozens of countries. The critical lesson: the maritime sector need not be the intended target to suffer catastrophic consequences from state-sponsored destructive operations.

COSCO Shipping Lines — July 24, 2018. China’s largest state-owned shipping conglomerate suffered a ransomware attack that disabled its North American email, network telephone, and electronic communications systems. Operations at the Port of Long Beach were degraded for several days. COSCO isolated its Americas network from the global corporate network, maintaining operations in other regions. The incident demonstrated that even state-owned shipping giants with significant resources were not immune to commodity ransomware.

Austal Ships — November 2018. Austal, an Australian shipbuilder constructing Littoral Combat Ships and Expeditionary Fast Transports for the U.S. Navy, disclosed a data breach in which an unauthorized actor accessed the company’s data management system and stole ship design and engineering data. The stolen data was subsequently offered for sale on the dark web, and the threat actor attempted to extort the company. Public attribution has not been confirmed; the actor profile is consistent with either state-sponsored espionage or financially motivated criminal activity. The incident highlighted the espionage value of maritime defense intellectual property and the shipbuilding supply chain as a high-priority target.

U.S. Coast Guard MSIB 06-19 — February 2019. The USCG issued Marine Safety Information Bulletin 06-19 following an incident aboard a deep-draft commercial vessel bound for the Port of New York and New Jersey. Malware delivered via USB media had infected the vessel’s IT systems, significantly degrading shipboard computer functionality though not affecting vessel control systems. The investigation revealed that the vessel operated without effective cybersecurity measures: the same Windows-based workstations used for cargo management, email, and official business were connected to the vessel’s ECDIS and other navigation equipment, with no network segmentation.

U.S. Coast Guard Ryuk Alert — December 2019. The USCG issued a marine safety alert warning that a Maritime Transportation Security Act (MTSA)-regulated facility had been targeted by Ryuk ransomware, which encrypted critical files and disrupted facility operations for over 30 hours. The intrusion vector was a phishing email containing a malicious link. Camera and physical access control systems were among the affected IT assets.

MSC Mediterranean Shipping Company — April 10, 2020. MSC, at the time the world’s second-largest container shipping line by capacity (it has since overtaken Maersk for the top position), confirmed a network outage affecting its Geneva headquarters that resulted in the unavailability of the company’s website and customer-facing booking portal for approximately five days. MSC attributed the outage to a malware attack. The incident affected shore-side operations but not vessel navigation or port terminal systems.

CMA CGM — September 28, 2020. CMA CGM, the world’s third-largest container line, suffered a Ragnar Locker ransomware attack that forced the company to take its online booking platforms (eSolutions) offline for approximately two weeks. Customers reverted to email and telephone-based booking. The attack targeted CMA CGM’s peripheral servers and entered through a VPN appliance vulnerability. While vessel operations were unaffected, the commercial impact of two weeks of degraded booking systems across one of the world’s largest container lines was substantial.

Transnet / South African Ports — July 22, 2021. Transnet SOC Ltd, South Africa’s state-owned port and rail operator, suffered a ransomware attack attributed to the Death Kitty/HelloKitty family. Transnet declared force majeure across all container terminals at Durban, Cape Town, Ngqura, and Port Elizabeth—facilities handling over 60% of South Africa’s containerized trade. Container terminal throughput collapsed by an estimated 70–80% as operations reverted to manual processing. The disruption lasted approximately one week at peak impact, with residual congestion persisting for weeks. The incident demonstrated that a single ransomware deployment could paralyze a nation’s port infrastructure and impose cascading economic harm on landlocked neighboring countries (Botswana, Zambia, Zimbabwe, DRC) dependent on South African port access for international trade.

Swire Pacific Offshore — November 2021. Swire Pacific Offshore, an operator of offshore support vessels, confirmed a Clop ransomware attack in which the threat actors exfiltrated personal data of approximately 2,500 employees—including passport copies, employment contracts, payroll information, and bank account details. Crew personal data exfiltration carries unique risks in the maritime context: seafarer identity documents can facilitate visa fraud, and crew movement patterns can be exploited for intelligence collection or physical security targeting.

Escalation Period (2022–2026)

Expeditors International — February 20, 2022. Expeditors, one of the world’s largest freight forwarding and logistics companies (2021 revenue: $16.5 billion), disclosed a cyberattack that shut down most of its global operating systems for approximately three weeks. The company reported $60 million in direct costs and lost revenue from the incident. The prolonged outage affected customs brokerage, freight consolidation, and supply chain management services for thousands of shippers globally.

Port of Lisbon (Administração do Porto de Lisboa) — December 25, 2022. The LockBit ransomware group claimed responsibility for an attack on the Port of Lisbon’s administrative systems on Christmas Day, subsequently publishing stolen data on its leak site in January 2023 after the port authority reportedly declined to pay the ransom. Compromised data included financial reports, audits, budgets, contracts, cargo information, ship logs, port documentation, and personnel records. Operational port systems were not directly affected, but the data exfiltration represented a significant intelligence loss.

DNV ShipManager — January 7, 2023. DNV, one of the world’s largest maritime classification societies and a critical node in the maritime digital ecosystem, confirmed a ransomware attack on the IT infrastructure hosting its ShipManager fleet management platform. DNV was forced to take ShipManager servers offline, disrupting fleet management operations for approximately 70 ship operator customers managing roughly 1,000 vessels. ShipManager supports planned maintenance systems (PMS), crewing, procurement, and QHSE management. While vessel navigation and safety systems are architecturally independent of fleet management software, the incident demonstrated that compromise of a single widely used maritime software vendor could simultaneously affect hundreds of vessels across dozens of operators—a supply chain risk profile that remains the sector’s most critical systemic vulnerability.

Nagoya Port (Port of Nagoya) — July 4, 2023. The LockBit group targeted the Nagoya Port United Terminal System (NUTS)—the central system coordinating container operations at Japan’s largest port (handling approximately 10% of Japan’s total trade value). The attack halted all container loading and unloading operations for over two days, forcing the port to suspend trailer movement into and out of terminals. Toyota and other major Japanese manufacturers experienced supply chain disruption. The incident was particularly significant because NUTS is a centralized system; its compromise simultaneously halted operations across all five container terminals at the port, demonstrating the single-point-of-failure risk inherent in centralized TOS architectures.

DP World Australia — November 10, 2023. DP World, the third-largest port operator globally, suffered a cyberattack affecting its Australian container terminal operations in Sydney, Melbourne, Brisbane, and Fremantle. Approximately 30,000 containers were stranded as the company disconnected its port systems from the internet to contain the breach. The disconnection halted truck processing at terminal gates, preventing containers from entering or leaving the terminals. Recovery to full operational capacity took approximately three weeks. The Australian government activated the National Coordination Mechanism—a crisis response framework typically reserved for natural disasters and terrorism—reflecting the strategic significance attributed to port cyber resilience at the national level. DP World Australia subsequently confirmed that the attackers had exfiltrated data including employee personal information.

2024–2026 Incidents. The reporting period has seen continued escalation. Key incidents include a Black Basta ransomware attack on a major European ro-ro ferry operator (Q2 2024) that disrupted booking and check-in systems for five days; an Akira ransomware compromise of a Southeast Asian port management company operating four container terminals (Q3 2024) with an assessed direct cost exceeding $35 million; a supply chain compromise affecting a maritime communications provider that resulted in malware deployment to VSAT management interfaces aboard approximately 200 vessels (Q4 2024); and multiple incidents affecting Mediterranean and Baltic port authorities that Dark Angel assesses are linked to escalating geopolitical tensions in both regions.

Threat Actor Landscape

4.1 Nation-State Actors

People’s Republic of China. PRC-affiliated actors represent the most persistent, technically sophisticated, and strategically consequential nation-state threat to the global maritime sector. Three distinct operational patterns are assessed.

APT40 / Leviathan / TEMP.Periscope / Bronze Mohawk. Formally attributed to the MSS Hainan State Security Department (Hainan Xiandun Technology Development Company) through the DOJ July 2021 indictment of four MSS officers, APT40 has maintained sustained maritime targeting since at least 2013. The indictment documented campaigns against naval defense contractors in the United States, Austria, and Southeast Asia; research universities conducting underwater autonomous vehicle and deep-sea mining research; shipping companies operating in the South China Sea; and government maritime agencies in multiple countries. APT40’s maritime-specific TTPs include exploitation of public-facing web applications (particularly Confluence, SharePoint, and VPN appliances), credential harvesting via spear-phishing targeting maritime industry conferences, and the use of legitimate remote access tools (Cobalt Strike, SoftEther VPN) for persistent access. CISA’s July 2024 advisory confirmed APT40 continues active operations, now emphasizing exploitation of SOHO devices and edge appliances for operational relay infrastructure—a technique with particular relevance to maritime shore offices that commonly deploy consumer-grade networking equipment.

Volt Typhoon. The Volt Typhoon campaign, publicly attributed to PRC by Microsoft and the Five Eyes alliance in May 2023 and detailed in CISA’s subsequent advisories, represents a paradigm shift in maritime threat assessment. Volt Typhoon was assessed to be pre-positioning for disruption of U.S. critical infrastructure, including maritime transportation, in a potential Taiwan contingency. The group’s tradecraft—living-off-the-land techniques using legitimate system tools (PowerShell, WMI, certutil, netsh), avoiding malware deployment, and maintaining persistent access through compromised edge devices—is specifically designed to evade detection and maintain long-term access for future activation. Congressional testimony in January 2024 revealed that Volt Typhoon had maintained access to critical U.S. infrastructure for “at least five years.” For the maritime sector, the implication is direct: PRC pre-positioning likely includes Pacific port OT networks, vessel traffic service systems, and military logistics infrastructure that commercial ports share. Dark Angel assesses with high confidence that similar pre-positioning operations target port infrastructure in Japan, South Korea, the Philippines, Australia, and Guam.

ZPMC Port Crane Vulnerability. In February 2024, the U.S. House Select Committee on the Chinese Communist Party and the House Homeland Security Committee released findings documenting that Shanghai Zhenhua Heavy Industries (ZPMC)—manufacturer of approximately 80% of ship-to-shore cranes deployed at U.S. ports—had installed cellular modems on crane systems that were not contractually required and had no documented operational function. These modems provided remote connectivity to crane control systems, bypassing port network security controls. The committees assessed that these installations could facilitate intelligence collection on port operations or provide a persistent access vector for future disruption. ZPMC cranes operate at over 200 ports globally, creating a supply chain dependency that extends far beyond U.S. shores. The finding prompted Executive Order 14116 (February 2024), authorizing the USCG to address maritime cyber threats at MTSA-regulated facilities, including equipment manufactured by foreign adversarial entities.

Salt Typhoon. The Salt Typhoon campaign, disclosed in late 2024, targeted major U.S. telecommunications providers (AT&T, Verizon, T-Mobile). While not directly maritime-focused, the compromise of telecommunications infrastructure has direct implications for maritime operations: vessel VSAT traffic transits terrestrial telecommunications networks, maritime VoIP communications depend on telecom backbone infrastructure, and port operations rely on cellular and fiber connectivity. Dark Angel assesses with moderate confidence that intelligence collected through Salt Typhoon includes maritime logistics communications, port operations data, and military sealift coordination.

Russian Federation. Russian intelligence services target maritime infrastructure through three operational modes. Destructive operations: GRU Sandworm (Unit 74455) demonstrated willingness to conduct destructive attacks affecting maritime infrastructure through NotPetya. The precedent of Industroyer/CrashOverride (targeting Ukrainian power grid) and Industroyer2 (2022) confirms GRU capability and willingness to attack OT/ICS systems. Espionage: APT28 (Unit 26165) targeted logistics and transportation infrastructure during the Ukraine conflict, including grain shipment logistics under the Black Sea Grain Initiative. SVR (APT29/Cozy Bear) has targeted maritime insurance firms, classification societies, and European port authorities for strategic intelligence collection. Electronic warfare: Russian GPS/GNSS interference campaigns represent the most extensively documented state-sponsored electronic attack on commercial maritime systems. The C4ADS “Above Us Only Stars” report (2019) documented systematic GPS spoofing affecting approximately 1,300 vessels in the Black Sea between 2016 and 2018. Subsequent monitoring has documented dramatic escalation: the Foundation for Resilient Societies 2024 study documented over 90,000 GPS interference events in the Eastern Mediterranean alone during a 12-month period, with the majority attributed to Russian electronic warfare systems protecting military assets in Syria and Crimea. Since late 2023, GPS interference in the Baltic Sea region—particularly around the Kaliningrad exclave, the Gulf of Finland, and the eastern Baltic—has intensified, affecting commercial aviation and maritime navigation simultaneously, coinciding with elevated NATO-Russia tensions.

Islamic Republic of Iran. Iranian cyber operations targeting maritime infrastructure are geographically concentrated around the Strait of Hormuz and the Red Sea corridor. The 2019 Stena Impero seizure (a Swedish-owned, UK-flagged tanker seized by IRGC forces in the Strait of Hormuz on July 19, 2019) is assessed with moderate confidence to have involved GPS interference that, coupled with IRGC naval interdiction, contributed to directing the vessel into Iranian waters. IRGC-linked groups, including APT33 (Elfin/Refined Kitten) and APT35 (Charming Kitten), have targeted port authorities and energy logistics firms operating in the Gulf region. Since the Houthi campaign against Red Sea shipping commenced in November 2023, Dark Angel assesses with moderate confidence that Iranian-aligned cyber capabilities have supported targeting intelligence for physical attacks on commercial vessels—leveraging AIS tracking data, port scheduling systems, and shipping company network access to identify vessel ownership, cargo manifests, and routing information linked to Israeli-associated trade. The intelligence-enabled targeting model means that seemingly low-severity cyber compromises (e.g., access to a shipping company’s booking system) can enable kinetic attacks with strategic consequences.

Democratic People’s Republic of Korea. Lazarus Group and associated DPRK state-sponsored actors target the maritime sector primarily for financial gain and sanctions evasion. DPRK maritime cyber operations include: targeting of shipping companies and maritime trade finance institutions for cryptocurrency theft and financial fraud; cyber-enabled manipulation of vessel identity documents and AIS data to support sanctions evasion shipping networks (dark fleet operations using forged IMO numbers and spoofed AIS); and compromise of shipping company email systems for Business Email Compromise (BEC) fraud targeting high-value cargo payments and charter party settlements. The UN Panel of Experts on North Korea has documented DPRK use of cyber capabilities to support illicit ship-to-ship fuel transfers and coal exports through falsified maritime documentation.

4.2 Ransomware Ecosystem

Dark Angel’s monitoring of data leak sites, incident response engagements, and industry reporting identifies the following ransomware groups with confirmed maritime sector victims during the reporting period:

The maritime sector’s attractiveness to ransomware operators is driven by four structural factors: (1) disruption economics—port and shipping downtime costs of $200,000–$500,000+ per day per terminal create payment incentive structures that rational extortionists exploit; (2) low security maturity—the maritime sector consistently ranks among the least mature critical infrastructure sectors in cybersecurity investment, with average cybersecurity spending estimated at 0.1–0.3% of revenue versus 5–10% for financial services; (3) operational urgency—just-in-time supply chains, perishable cargo deadlines, and contractual demurrage penalties create time pressure that works in the attacker’s favor; and (4) insurance-backed payment capacity—marine cyber insurance policies, while still maturing, provide payment capacity that adversaries assess increases willingness to pay.

4.3 Hacktivism and Gray-Zone Operations

Pro-Russian hacktivist operations have targeted European maritime infrastructure systematically since the onset of the Russia-Ukraine conflict. KillNet claimed DDoS attacks against the Port of Rotterdam, Hamburg Port Authority, and multiple Baltic port websites in 2022–2023. NoName057(16) conducted repeated DDoS campaigns against Danish, Estonian, and Finnish port authority websites and vessel traffic service portals. The Cyber Army of Russia Reborn (assessed to be a GRU-directed front) targeted Norwegian and Polish maritime logistics platforms. While the operational impact of DDoS against informational websites is limited, targeted campaigns against VTS information portals, AIS web services, and port community system interfaces carry genuine operational risk.

Pro-Ukrainian groups have reciprocally targeted Russian port infrastructure. Claims of disruptions to customs processing at Novorossiysk and St. Petersburg port systems have been made by groups including the IT Army of Ukraine and affiliated collectives. Verification is limited, but Russian port operations have experienced documented disruptions consistent with cyber interference during the conflict period.

Environmental hacktivism targeting the shipping sector is an emerging trend. Maritime shipping produces approximately 2.9% of global CO2 emissions (IMO Fourth GHG Study), and environmental activist groups have begun to identify shipping companies as targets for data exfiltration and public exposure campaigns. Dark Angel assesses with low confidence that this trend will escalate as IMO MEPC emissions regulations tighten and activist groups identify the gap between industry emissions commitments and operational reality.

OT/IT Convergence: The Maritime-Specific Technical Risk

5.1 Vessel OT Architecture

A modern container vessel’s network architecture typically comprises five functional segments, often sharing physical cabling or switch infrastructure despite the nominal separation prescribed by classification society guidelines.

The navigation bridge network interconnects ECDIS (primary and backup, typically dual-redundant Windows Embedded or Linux systems), radar/ARPA, AIS transponder, gyrocompass, speed log, echo sounder, weather facsimile receiver, Navtex, and the integrated navigation system (INS) that correlates inputs from these sensors. Communication between bridge systems uses the NMEA 0183 (serial, unencrypted, unauthenticated) and NMEA 2000 (CAN bus-based) protocols. The bridge network connects to the VSAT backbone for GMDSS communications, weather routing data, and electronic chart updates.

The engine room control network includes PLCs managing main engine fuel injection, auxiliary generator control, boiler automation, ballast water treatment, and emissions monitoring systems (scrubber controls, selective catalytic reduction). Protocols include Modbus RTU (serial) and Modbus TCP for PLC communication, PROFINET for newer Siemens-based automation systems, and proprietary protocols from engine manufacturers (MAN Energy Solutions, Wärtsilä). Engine performance data is increasingly transmitted to shore-side performance optimization platforms via the VSAT link, creating a data path from engine room OT through the ship’s network infrastructure to cloud-based analytics services.

The cargo monitoring network handles container tracking, reefer container temperature/atmosphere monitoring (critical for perishable cargo), tank level monitoring on tankers, and loading computer stability calculations. On modern container vessels carrying 4,000–24,000 TEU, reefer monitoring alone generates continuous data from hundreds to thousands of refrigerated container power points.

The VSAT and communications backbone provides the ship-to-shore data link via Ku/Ka-band satellite (typically 10–100 Mbps downstream) and increasingly Starlink LEO constellation service (100–220 Mbps with 20–40ms latency). The VSAT terminal connects to an onboard router/firewall that should segment traffic between operational, administrative, and crew networks. The firewall/router is the critical demarcation point—and the most frequently misconfigured component in Dark Angel’s vessel assessment experience.

The crew welfare network provides internet access for seafarers’ personal devices. On well-configured vessels, this network is fully isolated from operational networks on separate VLANs and physical switches with independent VSAT bandwidth allocation. On poorly configured vessels—which Dark Angel’s assessments indicate represent a majority of the global fleet—crew WiFi shares switches, routers, or firewall interfaces with operational networks, creating lateral movement paths from compromised personal devices to bridge and engine room systems.

ECDIS Vulnerabilities

ECDIS systems run on commodity computing platforms with software from manufacturers including JRC, Furuno, Kongsberg, Wärtsilä (SAM Electronics), and Raytheon Anschütz. Research by Pen Test Partners (2018–2023) demonstrated multiple critical vulnerability classes: unauthenticated network services accessible from the ship’s LAN, default credentials on configuration interfaces, unvalidated chart data updates that permit injection of falsified navigational information, and operating systems running without security patches (some ECDIS units have been documented running Windows XP Embedded years after end-of-support). A 2023 research disclosure demonstrated the ability to craft malicious S-63 encrypted chart cell files that, when loaded via USB, could execute arbitrary code on the ECDIS platform. The chart update process itself is a critical vector: charts are updated weekly via USB media supplied by chart agents in port, a physical supply chain with minimal integrity verification.

AIS Security

The Automatic Identification System was designed as a collision avoidance and vessel traffic monitoring tool, broadcasting on VHF marine frequencies (161.975 MHz and 162.025 MHz) with no authentication, encryption, or integrity verification. This fundamental design weakness is not a flaw that can be patched—it is intrinsic to the ITU-R M.1371 standard that defines AIS. Demonstrated attack techniques include: phantom vessel injection (broadcasting fabricated MMSI numbers, positions, and vessel characteristics to create non-existent targets on other vessels’ displays); position spoofing (overriding a real vessel’s reported position to make it appear at a false location); CPA alarm triggering (injecting false targets on collision courses to force course alterations); and AIS silence (selectively suppressing AIS transmissions). Real-world exploitation has been documented at scale: since 2021, thousands of instances of AIS manipulation in the Black Sea have displaced vessel reported positions to airport locations and military facilities—activity attributed to Russian electronic warfare. AIS data feeds into vessel traffic services (VTS), port scheduling, sanctions compliance monitoring, and maritime domain awareness; its manipulation has consequences far beyond navigation safety.

GPS/GNSS Spoofing and Jamming

GPS/GNSS represents the foundation of maritime positioning, with virtually all vessel navigation systems dependent on satellite-derived position and timing. Spoofing—the transmission of counterfeit satellite signals causing receivers to compute false positions—is more dangerous than jamming (signal denial) because spoofing can go undetected while progressively dragging a vessel off course.

The cascade effect through integrated bridge systems is the critical risk: a spoofed GPS position propagates simultaneously to ECDIS (displaying the vessel at a false chart position), AIS (broadcasting the false position to other vessels and shore stations), radar overlay (misaligning radar targets with chart features), and the autopilot if engaged in track-control mode. The vessel’s officer of the watch may not detect the discrepancy unless trained to cross-check GPS against independent position sources (radar bearings, visual fixes, celestial navigation)—skills that have atrophied across the commercial fleet as reliance on GPS has become near-total.

Documented maritime GPS spoofing regions include the Black Sea (2017–present, vessels in Novorossiysk displaced 25 nm to Gelendzhik airport), the Eastern Mediterranean (near Syrian military facilities, 90,000+ interference events documented in 2023–2024), the Persian Gulf (attributed to Iranian electronic warfare, correlated with the 2019 Stena Impero seizure), and the Baltic Sea (late 2023–present, associated with Russian operations near Kaliningrad). Mitigation strategies include multi-constellation GNSS receivers (GPS + GLONASS + Galileo + BeiDou make single-constellation spoofing detectable), Receiver Autonomous Integrity Monitoring (RAIM), and enhanced Loran (eLoran) as a terrestrial positioning backup—though eLoran infrastructure deployment remains limited.

5.2 Port OT Architecture

Terminal Operating Systems represent the central control plane for container port operations. The TOS market is concentrated among a small number of vendors: Navis N4 (Cargotec, estimated 40%+ of global market share for large container terminals), TBA Group OSCAR, Jade Logistics Master Terminal, Tideworks Mainsail (SSA Marine), and Containerchain. This concentration creates systemic risk: a supply chain compromise targeting a single vendor’s software update or cloud infrastructure could simultaneously disable container operations at dozens of terminals globally. TOS platforms increasingly operate in cloud-hosted or hybrid architectures, introducing dependencies on cloud service provider security and internet connectivity availability.

Automated terminal attack scenarios carry safety-of-life implications that distinguish maritime OT compromise from IT-centric incidents. STS crane manipulation: unauthorized movement commands to ship-to-shore gantry cranes lifting 40–65 tonne containers over vessels and quayside areas where stevedores and lashing crews work. AGV rerouting: misdirection of automated guided vehicles (30–70 tonne laden weight) operating in mixed traffic zones with human workers. ASC container drops: disruption of automated stacking crane operations causing containers to be stacked beyond structural limits or dropped from height. Quay crane anti-collision system defeat: automated cranes rely on anti-collision interlocks to prevent boom strikes against vessel superstructure; defeat of these interlocks during high-wind operations could cause crane collapse. These scenarios convert cyber compromise into potential mass casualty events—a consequence profile that demands OT-specific security controls, not simply IT security best practices applied to industrial systems.

Port community systems (PCS) such as Portbase (Netherlands), DAKOSY (Hamburg), and INTTRA/CargoSmart serve as single-window platforms for data exchange between shipping lines, freight forwarders, customs brokers, terminal operators, and government agencies. PCS compromise can halt cargo documentation processing for an entire port cluster, even if physical terminal equipment remains operational.

5.3 VSAT and Maritime Communications

Research by James Pavur (University of Oxford, 2020) demonstrated the ability to intercept unencrypted Ku-band VSAT traffic from commercial vessels using equipment costing approximately $300. Intercepted data included crew communications, operational emails, unencrypted credentials for corporate systems, vessel position reports, and cargo manifests. While the adoption of Ka-band (Fleet Xpress) and LEO constellation services (Starlink Maritime) has improved both bandwidth and baseline encryption, significant vulnerabilities remain. VSAT terminal management interfaces frequently retain default credentials. Firmware update mechanisms lack code-signing verification on older equipment. Ship-to-shore VPN configurations commonly use pre-shared keys (PSK) rather than certificate-based authentication, and PSKs are rarely rotated. Starlink Maritime, while offering dramatically improved bandwidth (100–220 Mbps) and latency (20–40ms) compared to legacy GEO VSAT, introduces persistent high-bandwidth connectivity that enables more sophisticated C2 channels, larger data exfiltration, and real-time interactive attacker sessions aboard vessels—an expanded attack surface that the industry has embraced for operational efficiency without proportional investment in security monitoring.

Ransomware Economics: Why Maritime Pays

The Disruption Cost Model

Maritime ransomware economics are driven by a cost asymmetry that rational extortionists exploit: the cost of disruption vastly exceeds typical ransom demands, creating a payment calculus that favors the attacker.

Direct costs compound hourly. Vessel demurrage charges range from $25,000–$35,000/day for a Panamax container vessel to $80,000–$100,000/day for an Ultra-Large Container Vessel (ULCV, 20,000+ TEU). A major container terminal generating $200–400M in annual revenue incurs $500,000–$1.5 million/day in direct costs during a full operational shutdown (crane idle time, labor for manual gate processing, IT recovery team costs). Truck detention charges (assessed by trucking companies against terminals unable to process containers) accumulate at $150–$300 per truck per day, multiplied across hundreds or thousands of affected truck movements. Reefer container cargo losses—perishable goods spoiling in unpowered refrigerated containers—can reach $10,000–$50,000 per container for high-value pharmaceutical, fresh produce, or seafood shipments.

Indirect costs apply the 5–15x cascading multiplier documented in supply chain disruption research. A five-day port terminal shutdown triggers: manufacturer production line stoppages due to delayed components (just-in-time supply chains have minimal buffer inventory); retailer stockouts, particularly acute for fast-moving consumer goods and seasonal merchandise; agricultural export losses from missed vessel loading windows for time-sensitive commodities (fresh fruit, cut flowers, chilled meat); post-incident congestion surcharges as the port works through a backlog that typically takes 2–4 weeks to clear after a major disruption; and loss of cargo to competing ports as shippers divert to avoid delays, with diverted cargo sometimes permanently redirecting to alternative routing. The Maersk/NotPetya disruption at 76 terminals for approximately two weeks produced direct costs of $250–$300M for Maersk alone, but total supply chain cascading costs have been independently assessed at $10B+ globally. The DP World Australia incident stranded 30,000 containers and required three weeks for full recovery; total economic impact including affected shipper losses was assessed by the Australian government at several hundred million dollars.

Opportunity costs—lost charter bookings, customer attrition to competitors, delayed vessel delivery from shipyards, and regulatory investigation diversion of management attention—are rarely quantified but substantial. A shipping company that suffers a publicized ransomware incident and cannot process bookings for two weeks will lose customers to competitors who fill the capacity gap, and some will not return.

Insurance Dynamics and Payment Incentives

The marine cyber insurance market, while still maturing, introduces structural dynamics that influence ransomware payment decisions. Marine insurance operates through a unique ecosystem: Protection & Indemnity (P&I) clubs (12 clubs in the International Group following the 2023 NorthStandard merger, collectively insuring 90%+ of global tonnage) cover third-party liabilities; hull & machinery (H&M) policies cover physical damage to the vessel; and standalone cyber risk policies are offered by a growing number of underwriters at Lloyd’s and the broader London market. The critical regulatory development is the Lloyd’s Market Association war exclusion clauses: LMA5567B (cyber war exclusion) and LMA5568B (limited cyber attack coverage during war), effective from March 2023, exclude coverage for cyber operations attributed to nation-states during periods of armed conflict. These exclusions create ambiguity: an attack by a ransomware affiliate operating from Russia during the Ukraine conflict may or may not trigger the war exclusion, depending on the degree of state attribution—a determination that is contested between insurers and policyholders and will likely require judicial resolution. This ambiguity may paradoxically increase ransom payment propensity, as organizations uncertain of insurance coverage may prefer to pay a $5M ransom rather than absorb a $50M uninsured disruption loss.

Compared with other sectors, maritime’s disruption economics create higher payment propensity than healthcare (which faces patient safety constraints against payment but lower per-day financial pressure), manufacturing (which can sometimes partially operate during IT outages), or financial services (which maintains higher security baselines and more robust backup/recovery capabilities). Maritime’s combination of extreme time-sensitivity, limited IT staffing, complex multi-jurisdictional operations, and the physical inaccessibility of affected assets (vessels at sea) makes it uniquely vulnerable to ransom payment pressure.

Regulatory Landscape: Navigating Overlapping Mandates

IMO MSC.428(98) and ISM Code Integration

IMO Maritime Safety Committee Resolution MSC.428(98), adopted June 2017, requires flag state administrations to ensure that cyber risks are appropriately addressed in Safety Management Systems (SMS) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021. The resolution is operationalized through the International Safety Management (ISM) Code, which requires companies to maintain an SMS that identifies and mitigates risks to ship safety, personnel, and the environment. Supporting guidance is provided in MSC-FAL.1/Circ.3/Rev.1 (Guidelines on Maritime Cyber Risk Management), which recommends alignment with the NIST Cybersecurity Framework’s five functions: Identify, Protect, Detect, Respond, Recover.

The critical weakness is the principles-based approach: MSC.428(98) requires that cyber risks be “appropriately addressed” without specifying what constitutes appropriate controls. The result is an enormous quality gap in implementation across the global fleet. Dark Angel’s review of SMS documentation from 35 shipping companies identified a spectrum ranging from sophisticated programs with OT-specific risk assessments, vessel network architecture documentation, and regular penetration testing, to minimally compliant programs consisting of a single-page cyber risk management policy copied from industry template documents with no evidence of practical implementation. Flag state and port state control auditors vary widely in their cyber competency, and cyber-related ISM Code deficiencies are rarely issued during inspections. IMO MASS regulatory scoping (MSC.108, 2023) is developing a regulatory framework for autonomous vessel operations that will necessarily include cybersecurity provisions, but detailed requirements remain under development and are not expected before 2028.

EU NIS2 Directive

The Network and Information Security Directive 2 (Directive (EU) 2022/2555), with a transposition deadline of 17 October 2024, classifies maritime transport as a sector containing essential entities. Entities in scope include shipping companies, port managing bodies, vessel traffic services, and inland waterway operators that meet the directive’s size thresholds (generally ≥50 employees or ≥€10M turnover). NIS2 imposes significantly more stringent requirements than its predecessor:

• Risk management measures (Article 21): mandated technical and organizational measures including incident handling, business continuity, supply chain security, network security, vulnerability handling, encryption, access control, and multi-factor authentication.
• Incident reporting (Article 23): initial notification to the competent authority and CSIRT within 24 hours of becoming aware of a significant incident; intermediate report within 72 hours; final report within one month.
• Management body accountability (Article 20): management bodies of essential entities must approve cybersecurity measures and can be held personally liable for failures to comply. This provision is transformative for the maritime sector, where cybersecurity has historically been delegated to IT departments without board-level engagement. Under NIS2, the CEO and board members of a shipping company can face personal sanctions for cybersecurity governance failures.
• Supervision and enforcement: competent authorities may impose administrative fines of up to €10 million or 2% of global annual turnover for essential entities.

For maritime organizations operating across multiple EU member states—the norm for any significant European shipping company or pan-European port operator—NIS2 compliance requires navigating divergent national transpositions, identifying competent authorities in each jurisdiction, and establishing reporting procedures that satisfy multiple regulatory regimes simultaneously. The transposition process has introduced national variations: some member states have adopted stricter security requirements or broader entity scope than the directive minimum, while others have delayed transposition beyond the October 2024 deadline.

IACS UR E26 and E27

The International Association of Classification Societies adopted Unified Requirements E26 (Cyber Resilience of Ships) and E27 (Cyber Resilience of On-Board Systems and Equipment), effective for ships contracted for construction on or after 1 July 2024. These represent the first binding, technically prescriptive cybersecurity standards for new vessel construction.

UR E26 requires the ship integrator (typically the shipyard) to: establish a complete asset inventory of all computer-based systems (CBS); develop a network architecture document with zone and conduit models aligned with IEC 62443 industrial security principles; classify CBS by security level based on consequence of compromise; implement security controls including network segmentation, access control, malware protection, and secure configuration; and conduct cybersecurity verification during commissioning and sea trials. UR E27 imposes requirements on equipment suppliers: individual CBS delivered for installation aboard new vessels must demonstrate defined cybersecurity capabilities including hardened configuration, role-based access control, audit logging, malware defense, and secure update mechanisms.

The critical limitation is the new-build-only application. With the global merchant fleet averaging approximately 22 years of age and vessel economic life spanning 25–30 years, the existing fleet of 100,000+ vessels will not benefit from E26/E27 requirements for decades. The result is a prolonged period of heterogeneous security maturity: a 2025-contracted vessel will be built with IEC 62443-aligned cybersecurity architecture, while a 2010-built vessel operating alongside it in the same fleet will have no mandated cybersecurity baseline. This disparity demands that ship operators develop retrofit cybersecurity programs for existing tonnage that achieve functional equivalence with the E26/E27 standard.

USCG Maritime Cybersecurity NPRM

The U.S. Coast Guard published a Notice of Proposed Rulemaking (NPRM) in February 2024 proposing cybersecurity requirements for MTSA-regulated facilities (ports, terminals, OCS facilities). The proposed rule would require: designation of a Cybersecurity Officer (CySO); development of a Cybersecurity Plan integrated with the existing Facility Security Plan; network segmentation between IT, OT, and public-facing systems; incident reporting to the National Response Center within 24 hours; penetration testing of IT and OT systems; and supply chain risk management for equipment and software from foreign adversarial sources (directly responding to the ZPMC port crane findings). The rule, if finalized as proposed, would represent the most prescriptive federal cybersecurity mandate for the U.S. maritime sector and create a compliance framework that could influence international standards development.

Additional Frameworks

EU DORA (Digital Operational Resilience Act, effective January 2025): Maritime logistics firms that serve as critical ICT third-party service providers to financial institutions (banks, insurers, payment processors dependent on maritime trade finance data) fall within DORA’s scope through the supply chain oversight framework. Singapore MPA Cybersecurity Code: The Maritime and Port Authority of Singapore issued a Maritime Cybersecurity Code providing prescriptive cybersecurity requirements for Singapore-flagged ships and port facilities, serving as a model for national maritime cyber regulation. NIST CSF 2.0 (February 2024): The updated framework adds a sixth function (Govern) and expanded supply chain risk management guidance. NIST CSF 2.0 serves as the reference framework recommended in IMO MSC-FAL.1/Circ.3 guidance and is increasingly adopted by maritime organizations as their primary cybersecurity program framework.

Emerging Threats: 2026–2028 Horizon

AI-Enhanced Maritime Attacks

Large Language Models and generative AI are reducing the cost and increasing the effectiveness of social engineering campaigns against maritime targets. Merchant vessel crews are multilingual (the top five seafarer-supplying nations—Philippines, China, Indonesia, Russia, and India—represent diverse language groups), and traditional phishing campaigns in English have limited effectiveness against non-English-speaking crew. LLM-generated phishing in Tagalog, Mandarin, Bahasa, Russian, and Hindi—calibrated to maritime-specific scenarios (port agent communications, ITF inspector notices, manning agency correspondence)—represents a step change in social engineering effectiveness at scale. Beyond phishing, Dark Angel assesses that adversaries will deploy AI to accelerate vulnerability discovery in maritime OT protocols, many of which (NMEA 0183, IEC 61162, Modbus RTU) have minimal or no security mechanisms and have received limited security research attention. Deepfake voice capabilities introduce the possibility of impersonating harbor pilots during VTS radio communications or shore-based fleet managers during emergency coordination calls—scenarios where audio authentication is non-existent and operational urgency suppresses verification.

Autonomous Vessel Attack Surface

The Maritime Autonomous Surface Ship (MASS) regulatory framework under development at IMO will govern vessels with varying degrees of autonomy, from remote-controlled ships with crew aboard to fully autonomous vessels with no crew. Each level introduces new attack surfaces: remote command injection targeting shore control center (SCC) to vessel communication links; sensor spoofing of LiDAR, camera, and radar systems used for autonomous collision avoidance (proof-of-concept attacks against automotive LiDAR are directly transferable to maritime applications); machine learning model manipulation through adversarial inputs to AI-driven navigation decision systems; and SCC compromise as a single-point-of-failure for multiple vessels under remote control. A compromised shore control center could simultaneously affect every vessel it monitors—a concentration-of-control risk that has no precedent in conventional crewed vessel operations.

Quantum Computing Implications

Maritime satellite communications currently rely on encryption algorithms (RSA, ECDSA) that are vulnerable to cryptanalytically relevant quantum computers. The “harvest now, decrypt later” threat model is particularly relevant: state actors are assessed to be collecting and storing encrypted maritime satellite communications for future decryption when quantum capability matures. Sensitive military logistics data, classified naval communications, and strategic commercial intelligence (energy trade flows, commodity shipment patterns, defense supply chain logistics) transmitted via maritime satellite links represent high-value targets for long-term collection. The maritime sector’s long equipment lifecycle (VSAT terminals remain in service for 10–15 years, vessel communications equipment for 20+ years) means that post-quantum cryptographic migration will be slower than in most other sectors, extending the window of vulnerability.

Subsea Infrastructure and Offshore Systems

The maritime threat landscape extends below the waterline. Subsea fiber optic cables carry approximately 95% of intercontinental data traffic, and physical cable routes converge at chokepoints that overlap with maritime traffic corridors. Cyber-physical threats to cable landing stations and cable maintenance vessel operations create novel attack scenarios where cyber compromise of maritime assets enables physical disruption of telecommunications infrastructure. Offshore wind farm control systems—a rapidly growing segment of maritime infrastructure—are connected to onshore grid management systems through subsea cables and use SCADA protocols with known vulnerabilities. Underwater sensor networks supporting oceanographic research, environmental monitoring, and military maritime domain awareness are increasingly network-connected and represent emerging targets for state-sponsored intelligence collection and disruption.

Weaponized Electronic Warfare

GPS/GNSS spoofing has thus far been employed primarily for intelligence collection, sanctions evasion support, and area denial. The escalation pathway to weaponized spoofing—deliberately spoofing vessel positions to cause groundings, collisions, or hazardous navigation in congested waterways—represents a capability that multiple state actors are assessed to possess. A spoofing attack in a congested chokepoint (Singapore Strait, Dover Strait, Bosphorus) during conditions of reduced visibility could cause a collision or grounding that physically blocks the waterway for days or weeks, achieving strategic chokepoint disruption through cyber means with plausible deniability. Dark Angel assesses with low confidence that this scenario has been war-gamed by at least two state actors.

Sector-Specific Defensive Recommendations

The following 18 recommendations are organized in three implementation tiers based on urgency, resource requirements, and strategic value. Each recommendation identifies the specific threat it mitigates, implementation guidance for maritime operational context, regulatory alignment, and common implementation pitfalls.

Tier 1: Immediate Actions (0–6 months)

1. Implement network segmentation between vessel IT, OT, and crew welfare systems. Threat mitigated: lateral movement from compromised crew devices or shore-side IT to bridge/engine OT (Section 5.1). Deploy zone and conduit models aligned with IEC 62443. Where full air-gapping is infeasible, deploy unidirectional security gateways (data diodes) permitting telemetry export from OT while preventing inbound IT-to-OT traffic. Validate segmentation through penetration testing with physical presence aboard representative vessels. Regulatory alignment: IACS UR E26 zone/conduit requirements, NIS2 Article 21(2)(a), USCG NPRM network segmentation mandate. Pitfall: Many vessels have undocumented cross-connections between VLANs; segmentation must begin with accurate network topology mapping, not assumed architecture diagrams.
2. Establish USB media control with technical enforcement. Threat mitigated: USB-borne malware delivery to vessel OT (USCG MSIB 06-19 incident, ECDIS chart update vector). Deploy endpoint protection on all bridge and engine room computing systems. Implement USB device whitelisting where operationally feasible. For ECDIS chart updates, transition to authenticated encrypted delivery where supported by chart data providers (e.g., PRIMAR, IC-ENC authenticated update services). Regulatory alignment: IMO MSC-FAL.1/Circ.3 (removable media controls), IACS UR E27 (malware protection). Pitfall: Blanket USB blocking will break ECDIS chart updates and other operationally critical data transfers; implement controlled, auditable USB procedures rather than outright prohibition.
3. Harden VSAT and satellite communication configurations. Threat mitigated: VSAT interception and compromise (Pavur 2020 research, Section 5.3). Change all default credentials on VSAT terminal management interfaces. Enable encryption for ship-to-shore data links. Segment VSAT traffic to isolate crew internet from operational data paths. Monitor VSAT terminals for unauthorized configuration changes. Regulatory alignment: NIS2 Article 21(2)(h) (encryption policies), NIST CSF PR.DS. Pitfall: VSAT provider contracts may restrict customer access to terminal management interfaces; coordinate with the VSAT provider to ensure security configurations are applied.
4. Deploy GPS/GNSS integrity monitoring. Threat mitigated: GPS spoofing campaigns (Black Sea, Eastern Mediterranean, Baltic, Persian Gulf — Section 5.1). Implement multi-constellation GNSS receivers (GPS + GLONASS + Galileo + BeiDou) that can detect single-constellation spoofing. Evaluate commercial anti-spoofing solutions. Establish bridge team procedures for recognizing spoofing indicators: unexpected position jumps, divergence between GPS and radar-derived positions, ECDIS chart offset alerts. Deploy eLoran receivers as terrestrial positioning backup where infrastructure exists. Regulatory alignment: SOLAS V/19 (carriage requirements for navigation equipment), IMO performance standards for GNSS receivers. Pitfall: Multi-constellation receivers improve detection but do not prevent all spoofing; bridge team training and procedural responses are essential complements to technical controls.
5. Conduct incident response planning with maritime-specific scenarios. Threat mitigated: all incident categories. Standard enterprise IR playbooks do not address: limited bandwidth at sea, absence of on-site IT support during voyages, multi-jurisdictional notification obligations, and the imperative to maintain vessel safety regardless of IT status. Develop playbooks for: ransomware aboard a vessel at sea, GPS spoofing during transit of congested waterways, TOS compromise at a major terminal, and coordinated multi-vessel/multi-port attacks. Conduct tabletop exercises annually with bridge officers, shore operations, IT security, legal, and regulatory affairs. Regulatory alignment: NIS2 Article 21(2)(b) (incident handling), IMO ISM Code (emergency preparedness), USCG NPRM (incident reporting to NRC). Pitfall: Tabletop exercises that exclude bridge officers and seafarers address only half the response chain; include vessel-side participants via satellite video link if necessary.
6. Implement NIS2 incident reporting readiness. Threat mitigated: regulatory non-compliance leading to personal liability under Article 20 and fines up to €10M/2% turnover. Map all EU jurisdictions in which the organization operates as an essential entity. Identify competent authorities and CSIRTs in each member state. Establish 24-hour/72-hour/1-month reporting templates and communication channels. Assign reporting responsibilities across time zones for 24/7 coverage. Pitfall: Multi-jurisdiction operations may require simultaneous notification to multiple competent authorities under divergent national transpositions; establish a single internal incident coordination function that triggers all required notifications from a unified process.

Tier 2: Medium-Term Improvements (6–18 months)

7. Conduct OT-specific threat assessments for port and vessel infrastructure. Threat mitigated: OT compromise leading to operational disruption or safety-of-life consequences (Section 5.2). Assess TOS, crane control networks, and automated equipment using IEC 62443 risk assessment methodology and NIST SP 800-82 guidance. Engage security firms with documented maritime OT expertise—generic IT penetration testers lack the domain knowledge to assess PROFINET, Modbus, and OPC UA environments safely. Ensure assessments cover the full kill chain from shore-side IT compromise through lateral movement to OT. Regulatory alignment: IACS UR E26 (risk assessment), NIS2 Article 21(2)(a), USCG NPRM (penetration testing). Pitfall: Active scanning and penetration testing of live port OT systems can cause equipment malfunctions and safety incidents; conduct OT assessments during planned maintenance windows with qualified OT security personnel and equipment vendor coordination.
8. Implement maritime-specific cybersecurity awareness training for seafarers. Threat mitigated: social engineering, phishing, USB hygiene failures (Section 4.2 initial access vectors). Develop training addressing maritime-specific scenarios: phishing via personal email on crew WiFi, social engineering by port personnel, USB media hygiene, and recognition of anomalous bridge/engine room system behavior. Training must be practical, delivered in crew languages (Tagalog, Mandarin, Bahasa, Hindi, Russian, Ukrainian), and integrated into existing maritime safety training frameworks. Conduct simulated phishing exercises tailored to the maritime context. Regulatory alignment: ISM Code safety training requirements, STCW Convention competency framework (advocate for cybersecurity inclusion in future Manila Amendments). Pitfall: Annual classroom training delivered pre-embarkation has minimal retention for 6–9 month contracts; implement monthly micro-training delivered via crew entertainment/welfare systems aboard vessels.
9. Establish third-party and vendor risk management for maritime software supply chain. Threat mitigated: supply chain compromise (DNV ShipManager incident, Clop/MOVEit exploitation, ZPMC port crane concerns). Inventory all software vendors with persistent connectivity to vessel or port OT systems. Require Software Bill of Materials (SBOM) from TOS vendors, ECDIS manufacturers, and fleet management software providers. Assess vendor security posture through questionnaires, SOC 2 reports, and where feasible, independent assessment. Include cybersecurity clauses in vendor contracts specifying incident notification timelines, security testing requirements, and secure development lifecycle (SDLC) obligations. Regulatory alignment: NIS2 Article 21(2)(d) (supply chain security), IACS UR E27 (equipment supplier requirements), USCG NPRM (supply chain risk management). Pitfall: Maritime software vendors, particularly smaller companies serving niche maritime functions, may lack the maturity to provide SBOMs or SOC 2 reports; establish a risk-based tiering approach that applies intensive scrutiny to vendors with OT connectivity and lighter-touch assessment to administrative software providers.
10. Select and deploy maritime-aware SOC/MSSP capabilities. Threat mitigated: inadequate detection and response across distributed maritime IT/OT environments. Maritime SOC requirements differ from enterprise SOC: analysts must understand vessel network architectures, maritime OT protocols (NMEA, Modbus, PROFINET), satellite communication patterns, and the operational constraints of incident response at sea. Evaluate potential SOC/MSSP providers on: maritime OT protocol monitoring capability, experience with maritime incident response, 24/7 coverage across maritime time zones, ability to ingest and correlate VSAT traffic metadata, and integration with vessel management and port OT monitoring systems. Pitfall: Generic enterprise MSSPs will generate false positives from normal maritime OT traffic patterns (e.g., NMEA 0183 broadcasts, AIS data streams) and lack the operational context to triage maritime-specific alerts; require demonstrated maritime client references.
11. Develop cyber risk quantification for maritime insurance purposes. Threat mitigated: inadequate insurance coverage, inability to demonstrate risk posture to P&I clubs and underwriters. Adopt FAIR (Factor Analysis of Information Risk) or equivalent quantitative risk analysis methodology to model maritime-specific loss scenarios: ransomware causing port terminal shutdown, GPS spoofing causing grounding/collision, supply chain compromise affecting fleet management. Present quantified risk assessments to marine cyber insurance underwriters to negotiate coverage that reflects actual risk posture rather than sector-average pricing. Engage with P&I clubs proactively on cyber risk requirements. Pitfall: Maritime risk quantification requires granular data on vessel-specific OT configurations, port terminal architectures, and recovery capabilities that most organizations have not documented; risk quantification efforts will expose asset inventory gaps that must be addressed first.
12. Implement cyber clauses in charter party agreements and commercial contracts. Threat mitigated: contractual ambiguity regarding cyber incident liability, responsibility allocation between vessel owner, charterer, and port operator. Develop standard cyber clauses for time charter, voyage charter, and terminal service agreements that specify: minimum cybersecurity standards for chartered vessels, incident notification obligations between contracting parties, liability allocation for cyber-caused delays/damage, and cooperation requirements during incident response. Reference BIMCO Cyber Security Clause 2019 as a starting point. Regulatory alignment: P&I club requirements, BIMCO contractual guidance. Pitfall: Cyber clauses that impose requirements without verification mechanisms are unenforceable; couple contractual requirements with periodic cyber condition surveys aligned with classification society guidelines.

Tier 3: Strategic Initiatives (18–36 months)

13. Establish red team and adversarial simulation programs for vessel and port OT. Threat mitigated: unidentified OT vulnerabilities, untested incident response capabilities. Commission annual red team exercises that simulate realistic maritime attack scenarios: initial access through shore-side IT, lateral movement to vessel/port OT, and simulated OT impact (in controlled test environments, not production systems). Include physical security testing of vessel access during port calls (service engineer impersonation, USB media insertion). Red team scope must extend to testing satellite communication interception, VSAT terminal compromise, and GPS spoofing detection capabilities. Pitfall: Red team exercises against live port OT carry genuine safety risks; establish clear rules of engagement, conduct OT-specific testing in staging environments or during planned shutdowns, and ensure red team personnel hold relevant OT certifications (GICSP or equivalent).
14. Join maritime-specific threat intelligence sharing communities. Threat mitigated: intelligence gaps, delayed awareness of sector-specific threats. Participate actively in: the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC), BIMCO cybersecurity information sharing, ENISA Maritime Cybersecurity working group, and national maritime CSIRT programs. Consume commercial threat intelligence feeds with maritime sector coverage. Establish information sharing agreements with classification societies, port authority security teams, and flag state maritime administrations. Pitfall: Threat intelligence sharing requires both consumption and contribution; organizations that consume without sharing create a free-rider problem that degrades community intelligence quality.
15. Implement board-level cyber governance aligned with NIS2 Article 20. Threat mitigated: management body personal liability under NIS2, strategic underinvestment in cybersecurity. Establish a board-level cybersecurity committee or assign cybersecurity oversight to an existing risk committee. Require regular (quarterly minimum) board reporting on cyber risk posture, incident metrics, regulatory compliance status, and threat landscape evolution. Ensure board members receive cybersecurity awareness training (NIS2 Article 20 requirement). Align board governance with NIST CSF 2.0 Govern function. Pitfall: Board reporting that focuses exclusively on technical metrics (patches applied, vulnerabilities closed) fails to communicate strategic risk; frame board reports in terms of business risk, operational resilience, and regulatory compliance posture.
16. Develop post-quantum cryptographic migration roadmap for maritime communications. Threat mitigated: quantum computing threat to maritime satellite communication encryption (Section 8). Inventory all cryptographic implementations across VSAT, AIS, VPN, and shore-to-ship communication systems. Identify systems using RSA/ECDSA that are vulnerable to quantum cryptanalysis. Develop a phased migration plan prioritizing systems carrying the most sensitive data (classified naval logistics, strategic commercial intelligence). Engage with VSAT providers and equipment manufacturers on post-quantum implementation timelines. Pitfall: Maritime equipment procurement cycles are 3–5 years and vessel lifespans are 25+ years; post-quantum migration must be integrated into next-generation equipment specifications now, not deferred until quantum computers are operational.
17. Participate in autonomous vessel cybersecurity standards development. Threat mitigated: MASS attack surface expansion (Section 8). Engage with IMO MASS regulatory development (MSC.108), IACS working groups on autonomous vessel classification, and industry consortia developing MASS cybersecurity standards. Contribute operational maritime cybersecurity experience to ensure MASS regulations incorporate lessons from conventional vessel OT security failures rather than developing new frameworks from scratch. Pitfall: Autonomous vessel cybersecurity standards developed without input from maritime OT security practitioners risk replicating the same architecture and protocol vulnerabilities that plague conventional vessel networks.
18. Establish maritime cyber range and workforce development program. Threat mitigated: workforce shortage and skills gap. The maritime sector’s cybersecurity workforce deficit is acute: shipping companies compete for talent with higher-paying financial services and technology sectors. Develop maritime-specific cyber range environments that replicate vessel bridge systems (ECDIS, AIS, radar), engine room OT (PLCs, Modbus), and port terminal systems (TOS, crane control). Use these ranges for: training maritime cybersecurity specialists, conducting tabletop and live-fire exercises, validating detection rules, and testing incident response playbooks. Collaborate with maritime academies and training institutions to integrate cybersecurity into seafarer and port worker training curricula. Pitfall: Cyber range investments require sustained operational funding for scenario development and maintenance, not just initial capital expenditure; plan for ongoing operational costs.

Methodology & Intelligence Standards

Analytic Framework

This assessment is produced under the analytic standards framework established in Intelligence Community Directive (ICD) 203, which governs objectivity, independence from political influence, timeliness, and the distinction between analytic judgments and factual reporting. Source reliability is evaluated using the Admiralty Code (also known as the NATO System), rating sources on a two-axis scale: reliability of the source (A–F, where A is “completely reliable”) and credibility of the information (1–6, where 1 is “confirmed by other sources”). Attribution assessments adhere to the graduated confidence framework defined below.

Collection Streams

Incident data: Analysis of 87 confirmed ransomware incidents and 39 additional cyber incidents (espionage, data breaches, DDoS, electronic warfare) affecting maritime and port organizations between January 2023 and March 2026. Incident data is sourced from Dark Angel’s incident response engagements (18 cases), data leak site monitoring (52 active DLS), public disclosure by affected organizations, USCG Marine Safety Information Bulletins, EU member state CSIRT reporting, and ENISA incident notifications.

Threat actor tracking: Continuous monitoring of 14 nation-state groups assessed to target maritime entities, including APT40, Volt Typhoon, Salt Typhoon, APT28, Sandworm, APT29, APT33, APT35, Lazarus Group, and associated infrastructure. Ransomware group tracking covers all major RaaS programs and their affiliate operations targeting maritime and logistics sectors.

OT security research: Technical analysis of maritime OT systems across 23 vessel assessments and 11 port terminal assessments conducted between 2023 and 2026. Systems assessed include ECDIS platforms from 5 manufacturers, AIS transponders, GPS/GNSS receivers, VSAT terminals from 3 providers, and TOS platforms from 4 vendors. Research conducted in partnership with maritime technology vendors and classification societies under coordinated disclosure agreements.

Regulatory analysis: Review of IMO resolutions, circulars, and MSC outputs; EU legislative texts and 19 national NIS2 transposition measures; IACS unified requirements and classification society guidance notes; USCG NPRM and supporting documentation; and national maritime cybersecurity strategies from 22 flag state administrations.

Industry engagement: Structured interviews and intelligence sharing with 34 shipping companies, 12 port authorities, 5 maritime classification societies, and 9 maritime technology vendors.

Confidence Assessment Framework

Analytic Limitations

Several intelligence gaps constrain this assessment. Ransomware incident data is inherently incomplete: an estimated 40–60% of maritime ransomware incidents are not publicly disclosed, and ransom payment data is almost entirely opaque. Nation-state operational detail beyond government attribution statements is derived from technical indicator analysis and assessed operational patterns; ground-truth confirmation of intent and specific pre-positioned access is not available through open or commercial sources. Vessel OT vulnerability data is constrained by the limited number of vessels that have undergone independent security assessment (an estimated fraction of 1% of the global fleet). GPS/GNSS interference event data is dependent on voluntary reporting by vessels and shore monitoring stations; actual interference events almost certainly exceed documented counts. These limitations are noted throughout the report where they affect specific analytic judgments.

Appendices

Appendix A: Maritime Cyber Incident Database

Appendix B: Regulatory Compliance Cross-Reference Matrix

Appendix C: Maritime OT Protocol Reference

Appendix D: Recommended Maritime Cybersecurity Standards and Frameworks

• IMO MSC-FAL.1/Circ.3/Rev.1 — Guidelines on Maritime Cyber Risk Management
• BIMCO Guidelines on Cyber Security Onboard Ships (v5, 2024) — Industry standard for shipboard cybersecurity, jointly published by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF, and WSC
• NIST Cybersecurity Framework 2.0 (February 2024) — Reference framework recommended in IMO guidance
• NIST SP 800-82 Rev. 3 — Guide to Operational Technology Security (applicable to port OT)
• IEC 62443 Series — Industrial Automation and Control Systems Security (referenced by IACS UR E26/E27)
• IACS Recommendation on Cyber Resilience (Rec. 166) — Companion guidance to UR E26/E27
• ENISA Guidelines on Maritime Cybersecurity — EU agency guidance for maritime sector entities
• ISO/IEC 27001:2022 & ISO/IEC 27002:2022 — Information security management systems
• ISO/IEC 27005:2022 — Information security risk management
• CIS Controls v8 — Prioritized cybersecurity controls; Implementation Groups provide scalable maturity tiers
• MITRE ATT&CK for ICS — Adversary tactics and techniques for industrial control systems
• DNV Recommended Practice DNV-RP-0496 — Cyber Security Resilience Management for Ships and Mobile Offshore Units
• Lloyd’s Register Cyber-enabled Ship ShipRight Procedure — Classification society cyber security notation guidance
• ABS CyberSafety Notation Guide — Classification society cyber security notation and survey requirements
• Singapore MPA Maritime Cybersecurity Code — National maritime cyber regulation model

Related Reports

• Critical Infrastructure & Energy Sector Threat Intelligence — Comprehensive assessment of cyber threats targeting energy infrastructure, including cross-sector interdependencies with maritime fuel supply chains and offshore energy logistics.
• European Cyber Threat Landscape 2025 — Strategic analysis of the European threat environment with detailed coverage of NIS2 implementation, state-sponsored operations targeting European critical infrastructure, and ransomware trends affecting maritime entities.
• Supply Chain & Third-Party Risk Intelligence — Assessment of supply chain attack methodologies and risk management frameworks, with analysis of maritime software vendor concentration risk and the MOVEit/GoAnywhere campaign impact on shipping and logistics.
• State of Ransomware 2025 — Cross-sector ransomware ecosystem analysis with group-by-group capability assessments, ransom payment economics, and law enforcement disruption impact relevant to maritime-targeting affiliates.

Secure Your Maritime Operations

Dark Angel provides specialized threat intelligence, maritime OT security assessments, vessel and port penetration testing, incident response, and regulatory compliance advisory services for the maritime and shipping sector.

Request a Briefing

Strategic Partner