You are currently viewing When Cyber Operations Become Kinetic: Iran’s Expanding Maritime Threat

When Cyber Operations Become Kinetic: Iran’s Expanding Maritime Threat

Maritime Cyber Threat Briefing #1

In the Red Sea today, a cyber intrusion can contribute to a missile strike on a commercial vessel. The boundary between cyber operations and kinetic warfare at sea is no longer theoretical, it is operational.

Over the past 18 months, Iran-linked cyber groups have demonstrated how digital reconnaissance can directly support physical attacks against maritime targets. For shipping companies, ship managers, and port operators, the events of the past 18 months in the Middle East represent a direct warning, not a distant geopolitical story.

The Strategic Shift

Iran has built a layered cyber ecosystem over the past decade. The Islamic Revolutionary Guard Corps and Iran’s Ministry of Intelligence and Security together operate the bulk of Iran’s offensive cyber capabilities, with affiliated groups including APT33, APT35, OilRig (APT34), and MuddyWater conducting strategic espionage, sabotage, and influence operations against foreign governments and critical infrastructure.

The maritime sector sits squarely within their targeting priorities. It is central to Iranian energy revenues, sanctions evasion logistics, and the supply chain supporting proxy forces including the Houthis in Yemen. Commercial shipping is not collateral exposure. It is a deliberate target.

For maritime operators, the implication is clear: cyber exposure is no longer just an IT or compliance issue. In contested regions, it can become part of the targeting cycle.

Cyber Intelligence Supporting Missile Strikes

The most consequential development to emerge from the current conflict is the documented use of cyber reconnaissance to enable kinetic attacks against vessels.

Research by Amazon’s Threat Intelligence Group (MadPot / AWS security research) documented a case where Iran-linked hackers mapped AIS data of a vessel shortly before a missile attack attempt by Houthi militants. Merely days later, that same vessel was targeted by an unsuccessful missile strike carried out by Iranian-backed Houthi militants.

In a separate case, MuddyWater accessed compromised servers containing live CCTV feeds prior to attacks in Israel and the Red Sea. Consistent with a pattern of using digital surveillance to assess strike impact and improve targeting precision.

This represents a fundamental evolution in warfare, where the traditional boundaries between cyber and kinetic operations are dissolving. For vessel operators in contested waters, this means AIS data exposure, unsecured CCTV systems, and poorly protected satellite communications are no longer just IT risks. They are potential targeting inputs.

The Active Threat Groups

MuddyWater is Iran’s most operationally active APT in the current period. Affiliated with Iran’s Ministry of Intelligence and Security, the group targets government agencies, telecommunications providers, energy companies, and critical infrastructure across the Middle East, Europe, Asia, and North America, using spear-phishing, compromised credentials, and exploitation of public-facing applications for initial access.

Their maritime targeting is explicit. In Operation Olalampo, one attack sequence used a malicious document crafted to impersonate an energy and marine services company in the Middle East, likely targeting contractors or the organisation itself. The group has also recently deployed Rust-based implants representing a significant capability upgrade — harder to detect, more modular, and more persistent than their previous tooling.

OilRig (APT34) operates with a longer intelligence-collection focus. In 2025, the group conducted sustained intrusion campaigns against energy and defense companies across Europe and the Middle East using compromised Microsoft 365 accounts and Azure persistence mechanisms. Ship management companies and maritime technology vendors with cloud platforms are directly in scope.

The VSAT Vulnerability

The attacks on Iranian-flagged tonnage in 2025 have exposed a systemic weakness that extends across the wider industry.

In August 2025, Lab Dookhtegan [an anti-Iranian hacktivist group] claimed responsibility for disabling communications aboard dozens of Iranian oil tankers and cargo ships, gaining admin-level access to Linux systems running satellite terminals and destroying the software keeping vessels connected.

The entry point was not the vessels themselves. The attackers gained their foothold by first compromising Fanava Group, an Iranian IT vendor providing satellite communications services to multiple shipping companies. A pretty stark illustration of how a single supply chain compromise can cascade into fleet-wide disruption.

The underlying vulnerabilities exploited [including weaknesses in VSAT systems] are common across the maritime industry. Similar tactics could be applied against any shipping company with comparable infrastructure.

VSAT terminals running outdated firmware, factory-set credentials, and unpatched satellite software are a distributed attack surface. This has now been operationally demonstrated, not merely theorised.

The Scale of the Problem

Maritime cyber incidents surged by 103% in 2025 compared to 2024, with DDoS, ransomware, and malware infections accounting for the majority, their growth rate more than doubling over the prior year.

At least a dozen advanced persistent threat groups targeted the maritime industry over the past year. This is no longer a sector that can consider itself a low-priority target.

What Operators Must Address

Given this threat environment, several areas require immediate attention:

VSAT and satellite terminal security. Default credentials must be replaced, firmware kept current, and access to terminal management interfaces restricted and logged. Satellite communications providers warrant formal security assessment as part of vendor risk management.

AIS and position data exposure. Vessel operators should assess whether their real-time positional data and voyage plans are accessible in ways that could support adversarial targeting. Particularly for vessels transiting the Red Sea, Persian Gulf, and Strait of Hormuz.

Spear-phishing resilience. Shore-based staff at ship management companies are high-value targets. Maritime-themed lures are actively being used. Crew and staff training must reflect current threat techniques, not generic cyber hygiene checklists.

IT/OT network segmentation. Communication systems, navigation systems, and cargo platforms should not share unrestricted network paths. A satellite terminal compromise should not be a route into bridge or engine room systems.

Incident response readiness. Plans must account for the loss of satellite communications, navigation system compromise, and remote access exploitation and they must be tested, not just documented.

The Regulatory Baseline Is Not Enough

IMO cyber risk management requirements embedded in the ISM Code, the IACS Unified Requirements E26 and E27 for new builds, and the NIS2 Directive for EU-exposed operators all establish minimum expectations. Meeting these requirements is necessary. It is not sufficient.

The threat actors described in this article operate well above the compliance threshold. Organisations treating regulatory alignment as the ceiling of their cyber risk programme are accepting residual exposure that regulators did not design those frameworks to address.


The maritime cyber threat in 2026 is categorically different from what it was two years ago. Iranian-linked actors are targeting vessel communications infrastructure, collecting intelligence in support of physical strikes, and evolving their capabilities faster than most of the industry is evolving its defences.

The consequences of getting this wrong are no longer limited to data loss or financial penalty. In the current environment, a cyber compromise can contribute directly to a vessel being targeted, a crew being endangered, or a supply chain being severed.

Maritime cyber resilience is an operational imperative. The organizations that recognize this now and act on it will be better positioned than those that wait for the next incident to force the conversation.


The maritime industry has historically treated cyber risk as a compliance exercise. That assumption is no longer sustainable.

The question for operators is no longer whether maritime cyber threats will escalate but whether their organizations are prepared when cyber intelligence becomes part of the targeting chain.


Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.