Maritime ports, responsible for 80 percent of global trade and serving as critical NATO logistics hubs, are facing a surge in cyberattacks from state-linked actors, according to a new policy brief from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The report highlights a sharp rise in threats targeting European and Mediterranean port facilities, with many attacks traced to Russia, Iran, and China. It revealed that nearly all surveyed countries have experienced cyber attacks within the past five years, with access control systems and vessel traffic management systems identified as the main reported risks.
As cyber operations increasingly disrupt access control and vessel traffic systems, the lack of clear coordination between military and civilian stakeholders is becoming a strategic vulnerability. Despite the civilian ownership of most port infrastructure, these facilities play an essential role in NATO’s defence network, yet NATO’s current maritime strategy lacks formal frameworks for engagement with commercial port operators, despite their critical role in maritime security and NATO logistics operations.
In its policy brief titled, ‘Addressing State-Linked Cyber Threats to Critical Maritime Port Infrastructure,’ NATO CCDCOE identified that maritime port facilities face a range of threats from state-sponsored advanced persistent threats (APTs), financially motivated cybercriminals, and politically driven hacktivists. These threats are remarkably consistent regardless of geographical location, and the tactics, techniques, and procedures (TTPs) are the same if not identical across Europe, the Americas, and the Asia Pacific regions.
The NATO CCDCOE policy brief identified major gaps in the 2011 NATO Alliance Maritime Strategy, particularly in its failure to address modern cyber threats targeting maritime infrastructure. While ports are essential to NATO’s military logistics, the strategy lacks formal frameworks for engaging commercial port operators—most of whom manage critical infrastructure now routinely targeted by state-linked cyber actors.
As hybrid warfare tactics combine physical and cyber operations, the divide between civilian and military maritime security is increasingly blurred. This undermines NATO’s coordination mechanisms, especially since most strategic port assets remain in civilian hands. The strategy’s focus on traditional threats does not account for the convergence of digital vulnerabilities and physical infrastructure risks, especially as ports depend heavily on interconnected ICT, OT (operational technology), and energy systems. A successful cyberattack could create cascading effects across military and civilian logistics networks.
Moreover, existing cybersecurity frameworks, such as the International Ship and Port Facility Security Code, largely overlook cyber risks, focusing instead on physical threats. Meanwhile, the International Association of Ports and Harbors’ guidelines offer relevant cyber insights but suffer from inconsistent implementation. Many ports lack the resources, expertise, and internal structures needed to manage cybersecurity risks effectively. NATO’s policy brief concludes that port cybersecurity must be addressed as a systemic challenge requiring urgent updates to maritime strategy, broader civil-military integration, and enhanced coordination with commercial stakeholders.
The CCDCOE survey that was conducted with member and partner countries demonstrates that the most common attacks against maritime facilities include denial-of-service attacks and significant data breaches, followed by phishing or malware delivery and ransomware.
Since Russia’s full-scale invasion of Ukraine in 2022, Moscow has intensified its use of hybrid tactics, including sabotage, disruption operations, and support for extremist groups, to weaken critical infrastructure and erode public trust in democratic systems. In May 2025, NATO and several European governments issued a joint cybersecurity advisory confirming that APT28 (Fancy Bear), linked to Russia’s GRU military intelligence agency, had launched widespread cyberattacks against Western logistics and tech firms spanning nearly every mode of transportation.
According to the Nordic Maritime Cyber Resilience Centre (NORMA Cyber), Fancy Bear has specifically targeted maritime operators, logistics companies, and air traffic control networks in at least 11 countries.
Iranian state-linked groups have followed suit. Advanced persistent threats associated with the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) have led coordinated cyber campaigns against strategic ports and shipping hubs, aiming to disrupt regional rivals and project Iranian influence.
Threat groups such as Yellow Lideric (Imperial Kitten), APT35 (Charming Kitten), MuddyWater, and the IRGC-linked persona Cyber Aveng3rs have hit ports across Israel, Egypt, and the Eastern Mediterranean. Their targets have included Israel’s Ashdod and Haifa ports, the latter handling 88 percent of the country’s maritime traffic, as well as the BAZAN oil refinery and Egypt’s Port Said, each a critical link in global trade flows.
Last April, Cisco Talos uncovered a state-sponsored cyber campaign, codenamed ArcaneDoor, which deployed custom malware exploiting known vulnerabilities to collect maritime and financial intelligence. The operation relied on extensive ICT infrastructure and targeted coastal facilities in countries deemed strategically significant to China. Separately, the China-linked group Mustang Panda has been observed targeting maritime transport firms through a variety of methods, including malware-laced USB drives.
These incidents underscore a growing pattern of state-sponsored cyber operations aimed at disrupting critical infrastructure. Ports, in particular, present high-value targets, not only for their role in global trade but for their importance in military logistics. Cyberattacks on these systems can inflict serious financial damage while also undermining operational readiness.
To counter these threats, NATO member states must be equipped with both robust defenses and mechanisms for lawful retaliation. Tools like the European Union’s Cyber Diplomacy Toolbox, which enables the imposition of targeted ‘cyber sanctions,’ offer a model for collective response. A similar NATO-aligned framework could help deter future attacks by signaling that cyber operations against maritime infrastructure will carry real consequences.
The NATO CCDCOE policy brief highlighted that the lack of clarity between state-sponsored actors and cybercriminal groups presents particular challenges for attribution and response. “In January 2022, ransomware attacks unfolded over several days, targeting at least 17 major oil port terminals in Belgium, the Netherlands, and Germany. These attacks affected some of the largest ports in the region, such as Hamburg, Ghent, Antwerp-Zeebrugge, and Rotterdam. European prosecutors and cybersecurity officials investigating these attacks found that ransomware forced oil suppliers to reroute their products, disrupting operations.”
Further, it added that this could disrupt and delay military operations in the region. Investigations by the Antwerp public prosecutors’ office highlighted the complexity of attributing such cyberattacks.
According to Germany’s Federal Office for Information Security (BSI), the state-linked BlackCat ransomware group was responsible for these attacks. Meanwhile, the now-defunct state-linked Conti ransomware group was identified as responsible for the cyber attack on Ghent-based international terminal operator Sea-Invest.
NORMA Cyber reported that at least 45 maritime organizations were attacked with ransomware in 2024, with the actual number likely to be much higher. “These incidents highlight the ongoing and significant threat ransomware poses to critical infrastructure. Moreover, in the case of cybercriminals disrupting maritime critical infrastructure, the effective cooperation of both civilian and military entities is essential.”
Also, the NATO CCDCOE policy brief identified the need for clear responsibilities and efficient cooperation between law enforcement agencies, the civilian operators of critical infrastructure, and the military as crucial in responding to and deterring the actions of cybercriminals. As a result, the national frameworks of NATO nations must be capable of fostering the necessary cooperation to respond to and fight cybercrime.
Apart from espionage and financially-driven threats, maritime organizations regularly face the threat of disruption of services by politically-motivated groups. One of the most prominent groups threatening maritime infrastructure is the pro-Russian hacktivist group NoName057. NoName057 represents one of the most active pro-Russian hacktivist groups. They focus on using distributed denial-of-service (DDoS) attacks, often forming alliances with other groups such as People’s Cyber Army, Z-Pentest, and Jus0t Evil Hacker Group. These groups target countries and organisations perceived as Russia’s adversaries, with particular focus on Ukraine, countries supporting Ukraine, and NATO/EU member countries.
The NATO policy brief recommends revising the 2011 NATO Alliance Maritime Strategy to make cybersecurity a foundational element of maritime security. This includes formalizing engagement with commercial port operators, recognizing their essential role in both maritime security and NATO logistics. The strategy should also address the increasingly blurred lines between civilian and military responsibilities in port operations and establish clear protocols for NATO’s involvement during major cyber incidents. Emphasizing cyber resilience as critical to modern port and logistics operations is central to this update.
Another key recommendation is to establish a structured threat intelligence-sharing network tailored specifically to maritime cybersecurity. This platform should support the exchange of threat data, incident response practices, and lessons learned among maritime stakeholders. It would build on existing tools like MISP and draw from successful models such as NORMA Cyber, ReCAAP ISC, and the NMIO Global Maritime Community of Interest to improve coordination and collective defense against cyber threats.
The policy brief also calls for NATO to establish a dedicated liaison role between NATO Maritime Command (MARCOM) and national port cybersecurity authorities. This role would support the development of detailed response playbooks. modeled on efforts like the EU Cyber Diplomacy Toolbox, for handling significant cyber incidents targeting port infrastructure. The liaison should also enable routine information-sharing and help integrate port cybersecurity scenarios into broader NATO maritime exercises such as Dynamic Mongoose and Trident Juncture.
In parallel, the brief urges the formation of international maritime cybersecurity working groups under the International Maritime Organization. These groups would unite port operators, shipping firms, government bodies, and cybersecurity specialists to develop consistent, maritime-specific security standards across the Alliance. Their focus would include creating actionable guidance for implementing existing cybersecurity frameworks, such as the NIST Framework and NIS2, tailored to the OT and IT complexities unique to port environments.
Looking ahead, the NATO brief detailed that cyber threats to critical maritime infrastructure have become a strategic urgency, driven by both state-sponsored actors and non-state groups whose operations are growing in scale, sophistication, and geopolitical impact. The NATO policy brief stresses that adversaries, such as China, Russia, and Iran, are increasingly leveraging cyber attacks to gather intelligence, disrupt military and commercial operations, and assert geopolitical pressure, particularly amid rising global tensions, such as those surrounding Taiwan.
Ports now face an expanded attack surface due to rapid digitalization, making them prime targets for both strategic cyber campaigns and collateral damage, as demonstrated in past incidents like NotPetya. These threats not only risk national security but also disrupt essential economic and military logistics.
To address this, NATO must revise its 2011 Alliance Maritime Strategy to fully integrate cybersecurity, recognizing that protecting maritime infrastructure goes beyond physical assets. This means embedding cybersecurity into every layer of maritime defense planning, from civil-military coordination to digital resilience.
The brief emphasizes the need for regular joint cyber exercises, intelligence-sharing mechanisms, and a comprehensive shift in maritime cybersecurity governance. Initiatives like NATO CCDCOE’s Locked Shields exercise provide valuable platforms for training and coordination, simulating real-time attacks and requiring strategic, technical, and legal response planning across sectors. Ultimately, resilience depends on modernizing maritime strategy to reflect today’s threat landscape and ensuring seamless collaboration between public, private, civilian, and military stakeholders.
Last month, Recorded Future warned that Russian hybrid threats are likely to escalate ahead of the 2025 NATO Summit, with a focus on sabotage, infrastructure attacks, vandalism, weaponized migration, and military intimidation. These activities were expected to intensify if the summit delivers concrete decisions on Ukraine, with European nations, particularly the Baltic states, Poland, and Germany, facing the highest risk.
