The maritime industry, responsible for as much as 90% of global trade, is increasingly becoming a target of cyber threat actors. 

A recent Cyble report to clients documented more than a hundred cyberattacks by advanced persistent threat (APT) groups, financially motivated threat actors, ransomware groups, and hacktivists, as the maritime and shipping industry has become a prime target amid growing geopolitical conflict. 

The trend has become particularly pronounced in the last year. Pro-Palestinian hacktivists have targeted Israeli-linked vessels using Automatic Identification System (AIS) data. Russian groups have targeted European ports supporting Ukraine. Chinese state actors compromised classification societies that certify the world’s fleets. 

In one notable incident in March 2025, in concert with U.S. attacks on Houthi rebels in Yemen, the anti-Iranian group Lab Dookhtegan launched a well-orchestrated cyberattack that allegedly disrupted communications (VSAT) on 116 Iranian vessels. The operation reportedly severed inter-ship and ship-to-port links, targeting entities accused of supplying arms to Houthi forces. 

Electronic interference, including GPS jamming and spoofing, is escalating in critical maritime chokepoints like the Persian Gulf and Strait of Hormuz, posing a serious threat to vessel safety and operational reliability. This interference can disrupt AIS positional reporting and other navigation systems, leaving ships effectively blind in some of the world’s busiest and most strategically sensitive waters.  

Driven largely by rising geopolitical tensions and military maneuvers, these disruptions increase the risk of collisions, navigational errors, and maritime incidents, while also undermining regional security and the safe flow of global trade. 

What follows is a look at some of the incidents, campaigns, and vulnerabilities affecting the maritime industry, along with some key cybersecurity considerations. 

APT Groups Target the Maritime Industry 

At least a dozen advanced persistent threat (APT) groups have targeted the maritime industry in the last year. Some of the APT groups have included: 

• The South Asian threat group SideWinder APT, which has hit maritime facilities in Egypt, Djibouti, the UAE, Bangladesh, Cambodia, and Vietnam. 

• The Chinese threat group Mustang Panda has targeted cargo shipping companies in Norway, Greece, and the Netherlands, among other targets. One alarming discovery was malware found directly on cargo ship systems, and one of the group’s attack vectors has beena USB-based initial infection. 

• The Chinese state-sponsored threat group APT41 has hit shipping and logistics targets in the UK, Italy, Spain, Turkey, Taiwan, and Thailand. The DUSTTRAP framework for forensic evasion and advanced malware such as ShadowPad and VELVETSHELL have been among the group’s attack techniques. 

• The Russian threat group APT28 has targeted NATO maritime supply chains supporting Ukraine, and Western transportation & logistics companies. 

• Iranian threat group Crimson Sandstorm has attacked maritime shipping, transportation & logistics sectors in the Mediterranean. 

• The Russia-linked threat actors Turla/Tomiris have focused on transportation & logistics companies in the Asia-Pacific region, using attack techniques such as infected USB disk drives for industrial espionage. 

• The Russia-linked threat group RedCurl has engaged in over 40 attacks, with a focus on transportation & logistics targets in Australia, Singapore, and Hong Kong. 

• The Hellhound threat group has targeted at least 70 Russian organizations, including suspected supply chain attacks. 

• The China-linked Chamel Gang has deployed ransomware against transportation & logistics organizations. 

Maritime Industry Breaches on the Dark Web 

Cyble dark web researchers have documented a number of threat actors in the last year selling sensitive data and access allegedly stolen from maritime organizations. These claims have included: 

A threat actor (TA) on DarkForums recently claimed to possess 1TB of internal data allegedly stolen from a major European defense contractor specializing in submarines and naval vessels. The TA claimed that the data includes source code for a top-secret CMS for submarines and frigates, network metadata, classified technical documents, virtual machines with navy simulators, and confidential internal communications. 

Another TA on DarkForums recently advertised data allegedly stolen from a European marine technology company. The TA claimed to possess internal system files from the company, including technical manuals and internal configurations for systems, detailed NMEA telegrams used for engine control systems, and other sensitive operational documentation. 

A TA on DarkForums in June advertised data allegedly pertaining to a major South American maritime authority. According to the TA, the compromised data revealed security gaps, such as offline surveillance on key maritime routes, and outdated cybersecurity protocols at some major ports. 

A TA on the former BreachForums in February leaked data allegedly stolen from a Middle Eastern government body responsible for regulating, developing, and overseeing maritime transport and logistics activities. According to the TA, the leaked dataset included detailed records such as operational reports, logistical data, internal communications, and other critical information related to maritime activities. 

A TA on the former BreachForums advertised data allegedly stolen from a major U.S. port that included SSL certificates, private keys, a firewall license, and login credentials. 

Cyble also documented dozens of ransomware and hacktivism attacks hitting the maritime sector. Ship blueprints have been among the data allegedly exfiltrated by ransomware groups. 

Vulnerabilities Affecting the Maritime Sector 

Cyble vulnerability intelligence researchers highlighted ten vulnerabilities affecting the maritime industry that should be prioritized by security teams. They include: 

• CVE-2025-5777 and CVE-2025-6543 in Citrix NetScaler devices, which could be present in ship-to-shore communication and remote access to vessel systems. 

• CVE-2025-52579 in Emerson ValveLink software, which provides diagnostics and configuration for FIELDVUE controllers used in marine systems like ballast water, fuel handling, and engine control. 

• CVE-2025-20309 in Cisco Unified CM and Unified CM SME, which could affect shipboard communication systems. 

• CVE-2024-2658 in Schneider Electric EcoStruxure products, which could be present in industrial control systems (ICS) for ship automation. 

• CVE-2024-20418 in Cisco Ultra-Reliable Wireless Backhaul (URWB), which could affect port and terminal connectivity and automation. 

• CVE-2024-20354 in Cisco Aironet Access Point (AP) software used in Industrial Wireless APs such as Cisco IW3702, which could affect vessel, ship and port wireless connectivity. 

• CVE-2022-22707, CVE-2019-11072, and CVE-2018-19052 in COBHAM SAILOR 900 VSAT High Power (Web Server), potentially affecting marine satellite communications for ships.

Securing the Maritime Industry 

Cyble recommends a number of security measures for improving maritime cybersecurity, including banning personal USB devices in operational areas on ports and ships. 

Network Isolation Architecture should be implemented, including: 

• Install unidirectional gateways (data diodes) between crane networks and port systems. Deploy crane-specific VLANs with zero internet routing capability. 

• Implement time-based access controls – cranes only communicate during active operations. 

• Install RF shielding on crane control rooms to prevent cellular modem communications. 

• Deploy spectrum analyzers to detect unauthorized cellular/satellite transmissions. 

• Completely separate operational systems from public-facing websites. 

• Implement geographic blocking during heightened geopolitical tensions. 

• Create automated scripts to scale cloud-based DDoS protection within 15 minutes. 

• Deploy static mirror sites that can replace dynamic content during attacks. 

• Deploy inline security appliances between ECDIS and any network connection. 

• Implement application whitelisting – only verified chart software should execute. 

• Transition to blockchain-verified chart updates with tamper-evident packaging. 

• Deploy write-once optical media for critical navigation data. 

• Deploy hardware tokens with biometric verification for surveyor access. 

• Require cryptographically signed SBOMs for all maritime software. 

Conclusion

Supply chain security requires immediate attention, including disabling remote access on Chinese-manufactured equipment, implementing rigorous vendor security assessments, and establishing secure update mechanisms for maritime systems. Persistent vendor access should be replaced by “just-in-time” support windows. 

Vulnerability management should prioritize patching CISA KEV-listed vulnerabilities, replacing legacy Windows systems, and implementing network segmentation between IT and OT environments. 

Incident response capabilities need maritime-specific protocols, cross-functional teams that include OT specialists, and regular drills simulating ransomware and APT scenarios. 

Access control must include the elimination of default credentials, the implementation of multi-factor authentication, and privileged access management for critical systems. 

Regulatory compliance also must be addressed, including preparation for Coast Guard cybersecurity rules, alignment with IACS UR E26/E27 standards, and implementation of NIS2 Directive requirements.