Maritime and Shipping Sector: Cyber Threat Intelligence Report

The Maritime Cyber Threat Landscape

Sector Significance and Strategic Value

Maritime shipping is the circulatory system of the global economy. By volume, approximately 90% of all internationally traded goods travel by sea, a proportion that has remained remarkably stable over the past two decades despite advances in air freight and overland logistics. The United Nations Conference on Trade and Development (UNCTAD) estimates that the global merchant fleet comprises over 105,000 vessels of 100 gross tonnes and above, operated by thousands of shipping companies, crewed by approximately 1.9 million seafarers, and calling at more than 5,000 ports worldwide. The annual value of cargo transiting ocean routes exceeds $14 trillion, with key chokepoints—the Strait of Malacca, the Suez Canal, the Strait of Hormuz, the Panama Canal, and the Turkish Straits—concentrating enormous economic value into narrow geographic corridors where disruption cascades rapidly through global supply chains.

This economic centrality makes the maritime sector a high-value target for every category of cyber threat actor. Nation-states seek intelligence on trade flows, naval movements, and port operations. Ransomware operators target the sector precisely because operational disruption carries immediate and quantifiable financial consequences that incentivize rapid payment. Hacktivists exploit the sector’s symbolic significance—ports and shipping lines are visible, recognizable elements of national economic infrastructure whose disruption generates media coverage disproportionate to the technical sophistication required to achieve it.

Attack Surface Expansion

The maritime sector’s cyber attack surface has expanded dramatically through three concurrent technological transitions, each introducing new categories of vulnerability while often failing to retire the legacy systems they were intended to replace.

IT/OT convergence aboard vessels represents the most consequential expansion of the attack surface. Modern vessels integrate bridge navigation systems (Electronic Chart Display and Information Systems, radar, Automatic Identification System transponders), engine management systems, ballast water treatment controls, and cargo monitoring systems into networked architectures that are increasingly connected to shore-side management platforms via satellite communications. The International Maritime Organization’s drive toward e-Navigation and the adoption of the Maritime Single Window for port reporting have accelerated this connectivity. A vessel that operated as a largely isolated system 15 years ago now maintains persistent satellite data links, receives real-time weather routing and performance optimization data from shore-based operations centers, and transmits continuous telemetry on fuel consumption, engine parameters, and navigational status. Each of these data flows represents a potential attack vector.

Smart port infrastructure constitutes the second major expansion. The world’s leading container terminals—facilities in Rotterdam, Singapore, Shanghai, Los Angeles/Long Beach, and Hamburg—have invested heavily in automation over the past decade. Automated stacking cranes (ASC), automated guided vehicles (AGV), and remotely operated ship-to-shore (STS) cranes are orchestrated by Terminal Operating Systems (TOS) that manage vessel berth planning, container stowage, yard management, and truck gate operations. These TOS platforms (Navis N4, TBA OSCAR, Jade Logistics Master Terminal, and others) are the nervous system of modern port operations. Their compromise can halt container throughput entirely, as demonstrated during the 2017 Maersk/NotPetya incident when APM Terminals facilities worldwide were rendered inoperable for days.

Autonomous and semi-autonomous vessel programs represent the emerging third vector. While fully autonomous commercial shipping remains in development—projects such as the Yara Birkeland and initiatives under IMO’s Maritime Autonomous Surface Ships (MASS) regulatory scoping exercise are progressing toward limited operational deployment—the underlying technologies (remote vessel monitoring, autonomous navigation systems, machine learning-based collision avoidance) are already being incorporated into conventional vessels. These systems introduce new software supply chains, new communications dependencies, and new failure modes that have not yet been subjected to adversarial testing at scale.

Historical Incidents: Establishing the Pattern

The maritime sector’s cyber threat history provides critical context for understanding current risk levels. Three incidents are particularly instructive.

Maersk/NotPetya (June 2017) remains the defining cyber incident in maritime history and one of the most consequential cyberattacks against any commercial entity. The NotPetya destructive wiper, attributed to Russian GRU (Sandworm/Unit 74455), propagated through the Ukrainian tax software MEDoc and reached Maersk’s global network through a single infected machine in the company’s Ukrainian office. Within seven hours, the malware had encrypted or destroyed systems across Maersk’s entire IT infrastructure: 49,000 laptops, 4,000 servers, and 2,500 applications across 600 sites in 130 countries were rendered inoperable. APM Terminals, Maersk’s port operations subsidiary, was forced to halt operations at 76 terminals worldwide. The company estimated total losses at $250–$300 million, but the true cost—including downstream supply chain disruption across dozens of countries—was almost certainly considerably higher. The incident was not targeted at Maersk or the maritime sector; it was collateral damage from a Russian destructive operation aimed at Ukraine. This fact carries a critical lesson: the maritime sector need not be the intended target to suffer catastrophic consequences from state-sponsored cyber operations.

Transnet/South Africa (July 2021) demonstrated ransomware’s capacity to disrupt national-scale port infrastructure. Transnet SOC Ltd, South Africa’s state-owned port and rail operator, suffered a ransomware attack attributed to a variant of the Death Kitty/HelloKitty ransomware family. The attack forced Transnet to declare force majeure across all container terminals at Durban, Cape Town, Ngqura, and Port Elizabeth—facilities that collectively handle more than 60% of South Africa’s containerized trade. Manual operations were implemented but throughput collapsed by an estimated 70–80% during the week-long disruption. The incident demonstrated that a single ransomware deployment could effectively paralyze a nation’s port operations and impose cascading impacts on landlocked neighboring countries dependent on South African port access.

DNV ShipManager (January 2023) illustrated supply chain risk in the maritime software ecosystem. DNV, one of the world’s largest maritime classification societies, confirmed a ransomware attack on the IT infrastructure hosting its ShipManager software—a fleet management platform used by approximately 70 customers operating roughly 1,000 vessels. DNV was forced to take ShipManager servers offline, disrupting fleet management operations for operators who relied on the platform for planned maintenance, crewing, procurement, and quality/health/safety/environmental (QHSE) management. While vessel safety was not directly compromised (bridge and navigation systems are architecturally separate from fleet management software), the incident demonstrated that a single compromise of a widely used maritime software vendor could simultaneously affect hundreds of vessels and dozens of operators—a supply chain risk profile that remains inadequately addressed across the sector.

Threat Actor Categories

Nation-State Actors

State-sponsored cyber operations targeting the maritime sector serve three strategic objectives: intelligence collection on trade flows and naval logistics, pre-positioning for potential disruption of maritime supply chains during geopolitical crises, and supporting broader economic espionage campaigns against defense and critical infrastructure sectors where maritime entities are upstream suppliers or logistics partners.

People’s Republic of China (PRC). Chinese state-sponsored groups represent the most persistent and technically sophisticated nation-state threat to the maritime sector. Groups attributed to the PRC Ministry of State Security (MSS) and the People’s Liberation Army Strategic Support Force (PLA SSF) have conducted sustained espionage campaigns targeting shipping companies, port authorities, shipbuilding firms, and maritime technology providers across Southeast Asia, Europe, and North America. APT40 (also tracked as Leviathan, TEMP.Periscope, and Bronze Mohawk), formally attributed to the MSS Hainan State Security Department by the U.S. Department of Justice in 2021, has historically demonstrated a particular focus on maritime targets—including naval defense contractors, shipping firms, and research institutions involved in underwater technology. More recently, the Volt Typhoon campaign (attributed to PRC by Microsoft and the Five Eyes alliance in May 2023) was assessed to be pre-positioning for disruption of critical infrastructure, including port operations, in a potential conflict scenario over Taiwan. The strategic logic is clear: in a Taiwan contingency, the PRC’s ability to disrupt allied logistics and port operations across the Pacific would carry significant military and economic advantages.

Russian Federation. Russian intelligence services target maritime infrastructure primarily in the context of the Ukraine conflict and broader competition with NATO. GRU cyber operations (Sandworm/Unit 74455, APT28/Unit 26165) have demonstrated willingness to conduct destructive operations against logistics and transportation infrastructure, as the NotPetya incident demonstrated. Since 2022, Russian cyber operations have focused on intelligence collection targeting grain shipment logistics (related to the Black Sea Grain Initiative), energy supply chains (particularly LNG shipping and North Sea energy infrastructure), and NATO naval logistics. The SVR (APT29/Cozy Bear) has targeted maritime-adjacent organizations, including port authorities in Northern Europe, maritime insurance firms at Lloyd’s, and defense contractors involved in naval programs. Additionally, Russian intelligence services have conducted GPS interference operations in the Baltic Sea, Eastern Mediterranean, and Black Sea regions that directly affect commercial shipping—operations assessed to serve both military objectives and intelligence collection on NATO maritime positioning.

Islamic Republic of Iran. Iranian cyber operations targeting the maritime sector are concentrated geographically around the Persian Gulf, the Strait of Hormuz, and the Red Sea/Gulf of Aden corridor. Groups attributed to the Islamic Revolutionary Guard Corps (IRGC), including APT33 (Elfin) and APT35 (Charming Kitten), have targeted port authorities, shipping companies, and energy logistics firms operating in the region. Iran’s cyber capabilities in the maritime domain are assessed to serve both intelligence collection and deterrence objectives—demonstrating the ability to disrupt commercial shipping through the Strait of Hormuz as a coercive tool during geopolitical tensions. The Houthi campaign against Red Sea commercial shipping since late 2023 has added a kinetic dimension to this threat, and Dark Angel assesses with moderate confidence that Iranian-aligned cyber capabilities have been used to support targeting and intelligence collection for these physical attacks on commercial vessels.

Ransomware Groups

The ransomware ecosystem has increasingly identified maritime and logistics organizations as high-value targets, driven by the sector’s operational urgency, limited tolerance for downtime, and historically immature cybersecurity programs relative to other critical infrastructure sectors.

Dark Angel’s monitoring of data leak sites and incident reports identifies at least 68 confirmed ransomware incidents affecting maritime and port organizations globally between January 2023 and March 2025. The Clop (TA505) group targeted multiple shipping and logistics firms during its mass exploitation campaigns against MOVEit Transfer and GoAnywhere MFT in 2023, capitalizing on the maritime sector’s widespread use of managed file transfer solutions for bill-of-lading processing, customs documentation, and port-to-carrier communications. LockBit affiliates compromised at least three major port operators during the same period, with one incident at a Southeast Asian container terminal resulting in seven days of degraded operations and estimated direct losses exceeding $25 million. The ALPHV/BlackCat group (before its law enforcement disruption in late 2023) targeted a European shipping conglomerate’s management networks, exfiltrating crew manifests, insurance documentation, and commercially sensitive charter rate data that was subsequently published on its leak site. More recently, Akira and Black Basta have emerged as active threats to maritime logistics firms, exploiting VPN appliance vulnerabilities (particularly Cisco ASA/FTD and Fortinet FortiGate) that remain prevalent across the sector’s shore-side infrastructure.

Hacktivists

Hacktivist operations targeting the maritime sector have intensified since the onset of the Russia-Ukraine conflict. Pro-Russian groups—including KillNet, NoName057(16), and the Cyber Army of Russia Reborn—have conducted repeated DDoS campaigns against European port authority websites, vessel traffic service (VTS) information portals, and maritime logistics platforms. While the technical impact of these operations has been largely limited to temporary service unavailability, targeted campaigns against the Port of Rotterdam, Hamburg, Antwerp, and multiple Baltic port authorities have generated media coverage and demonstrated the capacity to impose reputational and operational overhead on critical maritime infrastructure. Pro-Ukrainian hacktivist groups have reciprocally targeted Russian port infrastructure, particularly in Novorossiysk and St. Petersburg, claiming disruptions to customs processing and vessel scheduling systems. The conflation of hacktivism with state-directed operations in both camps makes clean attribution challenging; Dark Angel assesses with moderate confidence that some nominally hacktivist campaigns targeting European maritime infrastructure receive tasking or coordination from Russian intelligence services.

OT/IT Convergence Risks

Vessel Systems

The operational technology aboard modern commercial vessels presents a uniquely challenging security environment. Three categories of shipboard OT carry the highest consequence in the event of compromise.

Electronic Chart Display and Information System (ECDIS) is the primary navigation system on SOLAS-convention vessels, having replaced paper charts as the regulatory baseline for voyage planning and navigation. ECDIS terminals run on standard computing platforms (typically Windows Embedded or Linux-based systems) and process electronic navigational charts (ENCs) issued by national hydrographic offices. Demonstrated vulnerabilities include the ability to manipulate chart data to misrepresent navigational hazards, alter planned routes, or suppress display of critical features. A 2023 research disclosure documented the ability to inject falsified chart updates into ECDIS systems via compromised USB media—a vector particularly relevant given the maritime sector’s continued heavy reliance on USB-based data transfer for chart updates, port documentation, and software patches aboard vessels at sea.

Automatic Identification System (AIS) is a mandatory transponder system that broadcasts vessel identity, position, course, and speed to other vessels and shore stations. AIS operates on VHF maritime frequencies and was designed without authentication or encryption—a fundamental architectural weakness that has been repeatedly exploited. Researchers have demonstrated the ability to create phantom vessels (broadcasting false AIS positions to create non-existent traffic), spoof existing vessel positions (making a vessel appear in a different location), trigger false collision alarms on nearby vessels, and suppress AIS transmission entirely. Real-world AIS manipulation has been documented extensively: since 2021, thousands of instances of AIS spoofing have been detected in the Black Sea, where vessels’ reported positions have been displaced to airport locations or military facilities—activity attributed to Russian electronic warfare operations. In the Eastern Mediterranean, similar patterns have been observed near Syrian military facilities. The security implications extend beyond navigation: AIS data underpins vessel traffic services, port scheduling, maritime domain awareness, and sanctions enforcement monitoring. Manipulation of AIS data can facilitate sanctions evasion, smuggling, and illegal fishing while degrading the maritime situational awareness that coast guards and naval forces depend upon.

GPS/GNSS navigation remains the foundation of maritime positioning, with virtually all commercial vessels depending on Global Navigation Satellite Systems for position determination, timing synchronization, and integration with ECDIS, radar overlay, and AIS. GPS spoofing—the transmission of counterfeit GPS signals that cause receivers to calculate false positions—has transitioned from a theoretical risk to a documented operational reality. The most significant maritime GPS spoofing campaigns have been observed in the Black Sea (beginning in 2017, with vessels in the port of Novorossiysk reporting positions displaced by 25 nautical miles to Gelendzhik airport), the Eastern Mediterranean (associated with Russian military operations in Syria), the Persian Gulf (attributed to Iranian electronic warfare), and most recently in the Baltic Sea (beginning in late 2023, coinciding with increased NATO-Russia tensions in the region). A 2024 study by the Foundation for Resilient Societies documented over 90,000 instances of suspected GPS interference affecting commercial vessels in the Eastern Mediterranean alone during a 12-month period. The cascading effects of GPS spoofing on vessel navigation are significant: a spoofed GPS position propagates through ECDIS, corrupts AIS-reported positions, and can lead to erroneous collision avoidance calculations—creating genuine safety-of-life risks.

Port Operational Technology

Terminal Operating Systems (TOS) are the central nervous system of modern container port operations, managing the allocation of berths, the planning of container stowage aboard vessels, the dispatch of cranes and transport equipment in the yard, the routing of trucks through gate facilities, and the coordination of rail and barge intermodal transfers. The market is concentrated among a small number of vendors: Navis (Cargotec) N4, TBA Group’s OSCAR, Jade Logistics’ Master Terminal, and Tideworks’ Mainsail account for the majority of global terminal automation deployments. A compromise of TOS can halt terminal throughput entirely. During the Maersk/NotPetya incident, APM Terminals operated gates manually using pen and paper, but throughput dropped to a fraction of normal capacity. The concentration of the TOS vendor market means that a supply chain compromise targeting a single vendor’s software update mechanism could simultaneously affect dozens of terminals globally.

Crane control systems and cargo handling equipment in automated terminals operate on industrial control networks using protocols including Modbus, PROFINET, and OPC UA. Automated stacking cranes at facilities such as Rotterdam’s Maasvlakte II, Hamburg’s Container Terminal Altenwerder, and Long Beach Container Terminal operate without human operators aboard the equipment. Compromise of crane control systems presents both operational disruption and safety risks: unauthorized movement of cranes carrying 40-tonne containers in a terminal where human workers are present creates potential fatality scenarios that distinguish maritime OT compromise from the purely financial consequences of most IT-focused attacks.

VSAT Satellite Communications

Very Small Aperture Terminal (VSAT) satellite communications provide the primary data link for vessels at sea. The maritime VSAT market is served by providers including Inmarsat (now Viasat), SES, Iridium, and Starlink (which has rapidly gained market share since entering the maritime segment in 2023). Security research has identified significant vulnerabilities in maritime VSAT systems, including unencrypted firmware update mechanisms, default credentials on terminal management interfaces, and lack of authentication for satellite modem configuration protocols. In 2020, the security researcher James Pavur demonstrated the ability to intercept unencrypted VSAT traffic from commercial vessels, capturing crew communications, operational data, and in some cases, unencrypted credentials for corporate systems. While the adoption of higher-bandwidth, lower-latency services (particularly Starlink Maritime) is improving connectivity, it simultaneously increases the attack surface by enabling persistent, high-bandwidth connections between vessels and shore-side networks—connections that facilitate both legitimate operations and potential adversary access.

Ransomware Targeting Maritime Operations

Disruption Economics

The economic logic driving ransomware targeting of maritime organizations is compelling. Major container ports generate revenues measured in hundreds of millions of dollars annually, and their customers—global retailers, manufacturers, and commodity traders—face cascading costs for every day of disruption. Dark Angel’s analysis of documented port disruption events estimates that average direct costs of operational downtime at a major container terminal range from $200,000 to $500,000 per day, encompassing vessel demurrage charges (fees levied when vessels are delayed beyond their allocated berth window), truck detention costs, diverted cargo rerouting expenses, labor costs for manual operations, and contractual penalties. However, direct costs dramatically understate the true economic impact. A five-day disruption at a major gateway port triggers supply chain cascading effects that amplify total economic impact by a factor of 5–15x: manufacturers face production line stoppages due to delayed components, retailers experience stockouts, agricultural exporters miss spoilage windows for perishable goods, and the port itself faces weeks of congestion backlog after operations resume. The Maersk/NotPetya incident, which disrupted operations across 76 terminals for approximately two weeks, demonstrated that indirect costs across the global supply chain likely exceeded $10 billion—orders of magnitude beyond Maersk’s own $300 million direct loss estimate.

This economic pressure creates powerful incentive structures. Ransomware operators can credibly threaten losses in the tens or hundreds of millions of dollars by disrupting port operations, making ransom demands of $5–20 million appear rational from a cost-benefit perspective for the victim. Simultaneously, the sector’s historical underinvestment in cybersecurity means that the cost of initial compromise is often low relative to the potential payout—an asymmetry that rational, financially motivated actors will continue to exploit.

Key Incidents and Supply Chain Cascading

Beyond the headline incidents at Maersk, Transnet, and DNV, Dark Angel has tracked a pattern of ransomware incidents across the maritime ecosystem that illustrate the sector’s systemic vulnerability. In September 2020, CMA CGM, the world’s third-largest container shipping line, suffered a Ragnar Locker ransomware attack that forced the company to take its online booking systems offline for approximately two weeks, requiring customers to revert to email and telephone-based booking. In February 2022, Expeditors International, a major freight forwarding and logistics company, disclosed a cyber incident that shut down most of its operating systems globally for three weeks, with the company reporting $60 million in direct costs and lost revenue. The classification society ClassNK experienced a data breach in 2022 that exposed vessel inspection records, while the Port of Lisbon confirmed a LockBit ransomware attack in January 2023 that compromised port authority systems and resulted in data publication on LockBit’s leak site.

The supply chain cascading effects of maritime ransomware incidents extend well beyond the directly affected organization. When DP World Australia’s port operations were disrupted by a cyber incident in November 2023, approximately 30,000 containers were stranded across terminals in Sydney, Melbourne, Brisbane, and Fremantle. The disruption affected agricultural exporters facing time-sensitive shipment windows, manufacturing firms dependent on imported components, and retail supply chains preparing for the holiday season. Recovery took more than three weeks to fully normalize, and the incident prompted the Australian government to convene an emergency response coordination mechanism typically reserved for natural disasters—an indication of the strategic significance attributed to port cyber resilience at the national policy level.

Regulatory Landscape

IMO MSC.428(98): Maritime Cyber Risk Management

The International Maritime Organization’s Maritime Safety Committee adopted resolution MSC.428(98) in June 2017, requiring flag state administrations to ensure that cyber risks are appropriately addressed in safety management systems (SMS) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. The resolution is implemented through the International Safety Management (ISM) Code, which requires shipping companies to maintain an SMS that identifies and mitigates risks to the ship, personnel, and the environment. The practical effect is that cyber risk management is now auditable by flag state and port state control inspectors, and failure to demonstrate adequate cyber risk management within the SMS can result in detentions or non-compliance findings. However, the resolution provides no prescriptive technical requirements—it requires that cyber risks be “appropriately addressed” within the SMS without specifying what constitutes appropriate controls. This principles-based approach provides flexibility but has resulted in highly variable implementation quality across the global fleet, with some operators maintaining sophisticated cyber risk management programs and others achieving compliance through minimal documentation that does not reflect genuine security improvements.

EU NIS2: Maritime as Essential Entities

The Network and Information Security Directive 2 (NIS2), which reached its transposition deadline on 17 October 2024, explicitly classifies maritime transport as a sector containing essential entities. Under NIS2’s expanded scope, port managing bodies, vessel traffic services, shipping companies, and inland waterway operators are subject to the directive’s requirements for risk management measures, incident reporting (initial notification within 24 hours, intermediate report within 72 hours, final report within one month), supply chain security, and management body accountability. The inclusion of management body accountability is particularly significant for the maritime sector: under Article 20, the management bodies of essential entities can be held personally liable for failure to implement adequate cybersecurity measures—a provision that elevates cyber risk from a technical concern to a board-level governance obligation. For maritime organizations operating across multiple EU member states (as virtually all significant European shipping companies and port operators do), NIS2 compliance requires navigating potentially divergent national transpositions, identifying competent authorities in each jurisdiction, and establishing incident reporting procedures that satisfy multiple regulatory frameworks simultaneously.

IACS UR E26 and E27: Cyber Resilience for New Ships

The International Association of Classification Societies (IACS) adopted Unified Requirements E26 (Cyber Resilience of Ships) and E27 (Cyber Resilience of On-Board Systems and Equipment) effective for ships contracted for construction on or after 1 July 2024. These unified requirements represent the first binding, technically prescriptive cybersecurity standards for new vessel construction. UR E26 requires the ship integrator to identify and protect computer-based systems whose failure could affect the safety, security, or environmental performance of the vessel. It mandates the development of a ship cyber resilience framework, including asset inventories, network architecture documentation, zone and conduit models (aligned with IEC 62443 industrial security principles), and security testing during sea trials. UR E27 imposes requirements on equipment suppliers, mandating that individual systems and components delivered for installation aboard new vessels meet defined cybersecurity capabilities including secure configuration, access control, malware protection, and network security. Together, E26 and E27 represent a significant step toward baseline cybersecurity for the maritime sector—but their application to new constructions only means that the existing global fleet of over 100,000 vessels will not benefit from these requirements for decades, creating a prolonged period of heterogeneous security maturity across the commercial fleet.

Attack Vectors Specific to Maritime

USB-Based Attacks on Vessels

Despite advances in satellite connectivity, USB removable media remains a primary data transfer mechanism aboard commercial vessels. Chart updates for ECDIS systems, software patches for bridge and engine room equipment, crew entertainment media, and port documentation are routinely delivered via USB drives—a practice driven by bandwidth constraints, the cost of satellite data transmission, and the operational reality that many ports lack reliable, secure shore-to-ship data connectivity. The security implications are significant. In 2019, the U.S. Coast Guard issued Marine Safety Alert 06-19 following an incident in which malware delivered via USB media infected the IT system of a deep-draft vessel, degrading shipboard computer systems though not affecting vessel control systems. Dark Angel’s assessment is that USB-borne malware represents the most reliable initial access vector for targeted attacks against vessel OT systems, particularly for adversaries with access to port logistics chains where USB media can be intercepted, infected, and returned to the distribution channel. The physical security of USB media in the maritime context is fundamentally weak: chart agents, service engineers, chandlers, and port officials all routinely deliver USB devices to vessels, creating multiple insertion points for malicious media.

Compromised Port WiFi and Crew Networks

Commercial ports typically provide WiFi access for berthed vessels, and seafarers routinely connect personal devices and, in some cases, vessel operational systems to these networks. The security posture of port WiFi infrastructure varies enormously: some major terminals operate enterprise-grade wireless networks with proper segmentation; others provide open or minimally secured access that positions any connected device on a shared network with other vessels, port operational systems, and hundreds of transient users. Adversaries can establish rogue access points mimicking legitimate port WiFi to conduct credential harvesting, session hijacking, and malware delivery targeting vessels in port. Crew welfare WiFi aboard vessels presents an additional risk: where crew internet access shares physical or logical network infrastructure with operational systems (a more common configuration than operators typically acknowledge), compromise of a crew member’s personal device can provide a foothold for lateral movement into ship management or navigation networks.

Supply Chain Attacks Through Maritime Software Vendors

The maritime sector’s reliance on a concentrated ecosystem of specialized software vendors creates supply chain risk that the DNV ShipManager incident demonstrated in practice. Fleet management software, TOS platforms, port community systems, customs and cargo documentation platforms, and classification society systems are provided by a relatively small number of vendors, many of whom maintain persistent connectivity to client systems for support, updates, and data synchronization. A compromise of a single maritime software vendor can propagate simultaneously to hundreds of client organizations—a concentration of risk that the broader software industry has addressed through initiatives like software bills of materials (SBOM) and secure software development lifecycle (SSDLC) requirements, but which the maritime sector has been slow to adopt. The Clop group’s mass exploitation of file transfer solutions in 2023 demonstrated the vulnerability: maritime firms that had deployed MOVEit Transfer for bill-of-lading processing and customs documentation exchange were compromised alongside organizations in every other sector that used the same product.

Social Engineering Targeting Crew

The human element in maritime cybersecurity is shaped by unique operational factors. Merchant vessel crews typically serve contracts of 4–9 months, during which they experience extended periods of isolation, fatigue from watchkeeping schedules, and limited access to communications. Cybersecurity awareness training for seafarers, where it exists, is typically delivered as part of pre-embarkation or annual safety training and rarely addresses the specific threat scenarios that crew members encounter—phishing targeting personal email accounts accessed via crew WiFi, social engineering via messaging applications, or manipulation of USB media. The Manila Amendments to the STCW Convention (Standards of Training, Certification and Watchkeeping for Seafarers) do not include cybersecurity competency requirements, meaning that there is no international regulatory mandate for seafarer cyber awareness training. Dark Angel’s interviews with maritime security officers across 12 shipping companies reveal that fewer than 30% conduct recurring cybersecurity training for sea staff, and fewer than 10% include practical exercises such as simulated phishing campaigns tailored to the maritime operational environment.

Sector-Specific Defensive Recommendations

The following recommendations are prioritized for maritime and shipping organizations based on the threat assessment presented in this report. They address the sector’s unique operational characteristics, regulatory obligations, and the specific threat actor targeting patterns identified through Dark Angel’s analysis.

1. Implement network segmentation between vessel IT, OT, and crew welfare systems. Bridge navigation systems (ECDIS, AIS, radar), engine management systems, and cargo monitoring systems must be architecturally isolated from crew internet access, corporate email, and administrative IT systems. Implement zone and conduit models aligned with IEC 62443 principles. Where full air-gapping is not operationally feasible, deploy unidirectional security gateways (data diodes) that permit telemetry export from OT networks while preventing inbound traffic from IT networks. Validate segmentation through regular penetration testing that includes physical presence aboard representative vessels.
2. Establish USB media control policies with technical enforcement. Deploy endpoint protection on all bridge and engine room computing systems capable of scanning removable media before execution. Implement USB device whitelisting where operationally feasible. Establish controlled, auditable procedures for chart updates, software patches, and data transfers that minimize reliance on uncontrolled USB media. For ECDIS chart updates specifically, transition to authenticated, encrypted delivery mechanisms where supported by the chart data provider and ECDIS manufacturer.
3. Deploy GPS/GNSS integrity monitoring and multi-source positioning. Implement receiver autonomous integrity monitoring (RAIM) or multi-constellation GNSS receivers (GPS, GLONASS, Galileo, BeiDou) that can detect single-constellation spoofing. Evaluate commercial anti-spoofing solutions that provide GPS signal authentication. Establish bridge team procedures for recognizing and responding to potential GPS spoofing indicators, including unexpected position jumps, divergence between GPS and radar-derived positions, and inconsistencies between GPS time and independent clock sources. Consider deployment of enhanced Loran (eLoran) receivers as a terrestrial positioning backup where available.
4. Conduct OT-specific threat assessments for port infrastructure. Terminal operating systems, crane control networks, and automated equipment communication buses must be assessed using OT-appropriate methodologies (IEC 62443 risk assessment, NIST SP 800-82). Engage security firms with specific maritime OT expertise—generic IT penetration testing firms typically lack the domain knowledge to assess PROFINET, Modbus, and OPC UA environments safely. Ensure that assessments cover the full kill chain from shore-side IT compromise through lateral movement into OT networks.
5. Implement satellite communications security hardening. Change default credentials on all VSAT terminal management interfaces. Enable encryption for ship-to-shore data links where supported by the service provider. Segment VSAT traffic to prevent crew internet access from traversing the same logical path as operational data. Monitor VSAT terminals for unauthorized configuration changes, firmware modifications, and anomalous traffic patterns. Evaluate Starlink or equivalent LEO constellation services for improved bandwidth with reduced signal interception risk compared to legacy GEO VSAT systems.
6. Develop maritime-specific incident response plans and conduct tabletop exercises. Standard enterprise incident response playbooks do not account for the maritime sector’s unique constraints: limited bandwidth at sea, absence of on-site IT support during voyages, multi-jurisdictional regulatory notification obligations, and the need to maintain vessel safety regardless of IT system status. Develop playbooks that address scenarios including ransomware aboard a vessel at sea, GPS spoofing during transit through a congested waterway, TOS compromise at a major terminal, and coordinated attacks across multiple vessels or ports. Conduct tabletop exercises that include bridge officers, shore-side operations, IT security, legal, and regulatory affairs—at minimum annually.
7. Align cybersecurity programs with concurrent regulatory requirements. Maritime organizations face overlapping obligations under IMO MSC.428(98), NIS2 (for EU-operating entities), IACS UR E26/E27 (for new constructions), and potentially DORA (where maritime logistics firms serve financial sector supply chains). Map control requirements across these frameworks to identify overlaps and gaps, and implement a unified compliance management approach that avoids duplicative effort while ensuring complete coverage. Prioritize IMO ISM Code cyber risk management integration and NIS2 incident reporting readiness as immediate compliance priorities.
8. Invest in seafarer cybersecurity awareness training. Develop training programs that address the specific threat scenarios encountered at sea: phishing via personal email on crew WiFi, social engineering in port, USB media hygiene, and recognition of anomalous system behavior on bridge and engine room equipment. Training must be practical, delivered in the languages spoken by the crew, and integrated into existing maritime safety training frameworks rather than treated as a standalone IT exercise. Conduct simulated phishing exercises tailored to the maritime context and track engagement metrics to measure improvement over time.

Methodology

This sector assessment is produced by Dark Angel’s critical infrastructure threat intelligence practice, synthesizing multiple intelligence collection streams to provide an evidence-based assessment of the cyber threat environment confronting the maritime and shipping sector.

Incident Data: Analysis of 68 confirmed ransomware incidents and 23 additional cyber incidents affecting maritime and port organizations between January 2023 and March 2025. Incident data is sourced from Dark Angel’s incident response engagements (14 cases), data leak site monitoring (47 active DLS), public disclosure by affected organizations, and reporting by national maritime administrations and CSIRTs.

Threat Actor Tracking: Continuous monitoring of nation-state groups assessed to target maritime entities, including APT40 (Leviathan), Volt Typhoon, APT28 (Fancy Bear), Sandworm, APT29 (Cozy Bear), APT33 (Elfin), and associated infrastructure. Ransomware group tracking covers all major RaaS programs and their affiliate operations targeting maritime and logistics sectors.

OT Security Research: Technical analysis of maritime OT systems including ECDIS platforms, AIS transponders, GPS/GNSS receivers, VSAT terminals, and Terminal Operating System architectures. Dark Angel’s OT research team conducts controlled vulnerability analysis in partnership with maritime technology vendors and classification societies.

Regulatory Analysis: Review of IMO resolutions, circulars, and maritime safety committee outputs; EU legislative texts and national transposition measures for NIS2; IACS unified requirements and classification society guidance notes; and national maritime cybersecurity strategies from 15 flag state administrations.

Industry Engagement: Structured interviews and intelligence sharing with 27 shipping companies, 8 port authorities, 4 maritime classification societies, and 6 maritime technology vendors. All sources are evaluated using the Admiralty Code for reliability (A–F) and information credibility (1–6). Attribution assessments follow the analytic standards framework established in ICD 203, with confidence levels stated explicitly.

Related Reports

• Critical Infrastructure & Energy Sector Threat Intelligence — Comprehensive assessment of cyber threats targeting energy infrastructure, including cross-sector interdependencies with maritime fuel supply chains.
• European Cyber Threat Landscape 2025 — Strategic analysis of the European threat environment with detailed coverage of NIS2 implementation, state-sponsored operations, and ransomware trends affecting European maritime entities.
• Supply Chain & Third-Party Risk Intelligence — Assessment of supply chain attack methodologies and risk management frameworks, including maritime software vendor concentration risk analysis.