New research from Cyble has uncovered more than a hundred cyberattacks targeting the maritime and shipping industry, linked to advanced persistent threat (APT) groups, ransomware operators, financially motivated actors, and hacktivists. With geopolitical tensions rising, threat actors are exploiting weaknesses across fleets, ports, and offshore infrastructure. As attacks grow more frequent and sophisticated, the sector is under mounting pressure to strengthen its digital defenses and address persistent gaps in resilience, visibility, and response.
“The trend has become particularly pronounced in the last year,” Cyble researchers wrote in a Tuesday blog post. “Pro-Palestinian hacktivists have targeted Israeli-linked vessels using Automatic Identification System (AIS) data. Russian groups have targeted European ports supporting Ukraine. Chinese state actors compromised classification societies that certify the world’s fleets.”
They also revealed that electronic interference, including GPS jamming and spoofing, is escalating in critical maritime chokepoints like the Persian Gulf and Strait of Hormuz, posing a serious threat to vessel safety and operational reliability. This interference can disrupt AIS positional reporting and other navigation systems, leaving ships effectively blind in some of the world’s busiest and most strategically sensitive waters.
Driven largely by rising geopolitical tensions and military maneuvers, these disruptions increase the risk of collisions, navigational errors, and maritime incidents, while also undermining regional security and the safe flow of global trade.
Over the last year, at least a dozen APT groups have targeted the maritime industry, such as the South Asian threat group SideWinder APT group that hit maritime facilities in Egypt, Djibouti, the UAE, Bangladesh, Cambodia, and Vietnam; and Chinese threat group Mustang Panda has targeted cargo shipping companies in Norway, Greece, and the Netherlands, among other targets. One alarming discovery was malware found directly on cargo ship systems, and one of the group’s attack vectors has been a USB-based initial infection.
The Chinese state-sponsored threat group APT41 has hit shipping and logistics targets in the UK, Italy, Spain, Turkey, Taiwan, and Thailand. The DUSTTRAP framework for forensic evasion and advanced malware, such as ShadowPad and VELVETSHELL have been among the group’s attack techniques. The Russian threat group APT28 has targeted NATO maritime supply chains supporting Ukraine, and Western transportation & logistics companies. Also, Iranian threat group Crimson Sandstorm has attacked maritime shipping, transportation, and logistics sectors in the Mediterranean.
Cyble also listed Russia-linked threat actors Turla/Tomiris have focused on transportation and logistics companies in the Asia-Pacific region, using attack techniques such as infected USB disk drives for industrial espionage. The Russia-linked threat group RedCurl has engaged in over 40 attacks, with a focus on transportation and logistics targets in Australia, Singapore, and Hong Kong, and the Hellhound threat group has targeted at least 70 Russian organizations, including suspected supply chain attacks.
Cyble’s vulnerability intelligence team flagged ten critical vulnerabilities that demand immediate attention from maritime cybersecurity teams. Among them are CVE-2025-5777 and CVE-2025-6543 in Citrix NetScaler devices, which may impact ship-to-shore communications and remote access to vessel systems. CVE-2025-52579 in Emerson’s ValveLink software poses a risk to FIELDVUE controllers used in essential marine systems, including ballast water, fuel handling, and engine control. Communication systems aboard ships could also be exposed through CVE-2025-20309 in Cisco Unified CM and Unified CM SME.
Industrial control systems used in ship automation may be at risk due to CVE-2024-2658 in Schneider Electric’s EcoStruxure platform. Port and terminal connectivity could be impacted by CVE-2024-20418 in Cisco’s Ultra-Reliable Wireless Backhaul, while CVE-2024-20354 in Cisco Aironet AP software threatens wireless networks across vessels and port infrastructure. Finally, three older but still-relevant flaws, including CVE-2022-22707, CVE-2019-11072, and CVE-2018-19052, affect COBHAM SAILOR 900 VSAT systems, potentially compromising satellite communications at sea.
To strengthen maritime cybersecurity, Cyble recommends banning personal USB devices in operational zones on ships and ports, reducing one of the most common vectors for compromise. The firm also advocates for a robust network isolation architecture. This includes installing unidirectional gateways or data diodes between crane systems and broader port networks, along with deploying crane-specific VLANs that have no internet routing capabilities.
Crane communication should be restricted to active operational periods through time-based access controls, while RF shielding around control rooms can help block unauthorized cellular modem signals. Spectrum analyzers should also be used to detect rogue cellular or satellite transmissions.
Cyble emphasizes the importance of fully separating operational systems from public-facing websites and suggests implementing geographic IP blocking during periods of heightened geopolitical risk. Cloud-based DDoS (distributed denial of service) protections should be scalable within minutes, aided by automated scripts, and supported by static mirror sites to maintain operational continuity when dynamic content is disrupted.
On the vessel side, cybersecurity should extend to critical navigation systems. Cyble recommends placing inline security appliances between ECDIS terminals and any connected networks, enforcing strict application whitelisting to ensure only verified charting software can run, and transitioning to blockchain-verified chart updates with tamper-evident packaging.
For added data integrity, write-once optical media should be used for storing essential navigation data. Surveyor access should require hardware tokens combined with biometric verification, and all maritime software must be distributed with cryptographically signed software bills of materials (SBOMs) to ensure authenticity and supply chain integrity.
In conclusion, the Cyble researchers stressed that supply chain security demands urgent action. This includes disabling remote access on Chinese-manufactured equipment, enforcing strict vendor security evaluations, and establishing secure, auditable update mechanisms for maritime systems. Persistent vendor access should be replaced with tightly controlled ‘just-in-time’ support windows.
Vulnerability management must focus on patching vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, phasing out legacy Windows systems, and enforcing IT-OT network segmentation. Incident response needs to be tailored for maritime operations, with protocols that incorporate OT expertise, cross-functional response teams, and regular drills simulating ransomware and APT-style attacks. Access controls must eliminate default credentials, enforce multi-factor authentication, and implement privileged access management for high-value systems.
Finally, regulatory readiness is essential. Maritime operators must prepare for Coast Guard cybersecurity mandates, align with IACS UR E26/E27 standards, and comply with the NIS2 Directive to meet rising expectations for cyber resilience and accountability.
Earlier this month, Cyble data identified that hacktivists are escalating their campaigns against critical infrastructure, moving beyond basic DDoS and defacement tactics to more advanced intrusions and data breaches. In the second quarter of this year, ICS (industrial control system) attacks, data leaks, and access-based intrusions made up 31 percent of hacktivist activity, marking a rise of 29 percent in the first quarter. Notably, Russia-linked groups lead hacktivist ICS attacks.
