Maritime Threat Craft #1
For five months, an adversary sat inside the management infrastructure of an Iranian satellite communications provider and did nothing visible. No ransom note, no defacement, no operational disruption. They mapped a fleet [modem by modem] across the estates of two of Iran’s largest shipping operators. Then, in two timed waves in March and August 2025, Lab Dookhtegan (meaning “Sewn Lips” in Farsi) severed communications across the NITC and IRISL fleets [116 vessels in the March wave alone] by destroying the Falcon stack on every connected terminal at once. They never touched a ship.
That operation is a useful place to start, because it inverts the assumption most maritime security programs are built on: that the vessel is the thing you defend. The adversary in that campaign never regarded the vessel as the target. The vessel was downstream of the target. What they attacked was the management plane that made the fleet’s connectivity coherent and from the defender’s seat aboard any one of those 116 ships, there was nothing to see until the moment of execution.

This is the gap this series exists to close. Maritime security is dominated by compliance frameworks that describe what to protect. They are largely silent on how an adversary decides whether you are worth attacking, where they will enter, and how they will think about you once they are inside. Those are different questions, and they have different answers depending on who is asking.
Before any adversary moves, they answer one thing: why this target, and what does success look like? Maritime assets complicate that question in ways most IT/OT environments do not. A vessel is simultaneously a mobile node, a logistics platform, a communications relay, a cargo container, and for some operators an instrument of state. An adversary assessing a ship is not assessing a building with a network inside it. They are assessing a system that moves, connects intermittently, carries different things at different times, and sits at the intersection of multiple jurisdictions, none of which holds clean investigative authority.
That complexity is not a problem for adversaries. It is a feature.
And the objective determines everything downstream of it. Nation-state actors in the maritime domain:
- Mustang Panda against European cargo operators
- APT28 surveilling NATO logistics chains
- Crimson Sandstorm probing Mediterranean shipping
They are not running the playbook of criminal ransomware affiliates, and neither category maps onto hacktivist collectives like Lab Dookhtegan. Three adversary classes, three objective sets, three fundamentally different ways of evaluating the same ship. A defender who collapses them into a single “threat” has already miscalibrated. The question is never “could someone attack us?” It is “which adversary class would mark us as a valid target, and what would success mean to them?”
Target Selection Logic
Adversaries do not choose vessels at random. They run a target valuation process [often implicit, sometimes quite deliberate] that weighs return on effort against probability of success and risk of exposure. Understanding that valuation process is the foundation of useful threat modelling.
- Vessel class and cargo type are the first filter. Tankers carrying sanctioned oil or liquefied natural gas (LNG) are high-value to hacktivist actors pursuing disruption objectives and to nation-state actors mapping energy dependency. Container vessels operating on trans-Pacific or Asia-Europe routes attract intelligence collection interest. Cargo manifests and commercial shipping data have strategic value when aggregated. Bulk carriers operating under flags of convenience are attractive to criminal actors because operational disruption pressure is high, legal recourse is slow, and crew capacity to respond to a cyber incident is typically low.
- Flag state and regulatory posture matter more than defenders assume. An open-registry vessel with minimal ISM Code cyber enforcement carries a different risk profile than one under a flag with active port state control, and OSINT surfaces the distinction quickly. Flag also shapes the post-incident environment: jurisdictional ambiguity is useful to any adversary working to stay below the attribution threshold.
- Trade route and geopolitical exposure are the next filter, chiefly for nation-state and hacktivist actors. A vessel regularly transiting Hormuz, the Red Sea, or the Taiwan Strait sits in active friction zones where digital targeting extends a hybrid campaign. APT28 is documented against NATO maritime supply chains in the Baltic; Chinese-nexus actors surveil vessels whose routes cross South China Sea claims; Lab Dookhtegan selected NITC and IRISL ships not for their posture but because they served Iranian state economic objectives and were already sanctioned “politically legitimate targets”, in the group’s framing.
- Electronic warfare as target manipulation has matured from opportunistic tactic to systematic coercion tool. GPS spoofing and jamming in sensitive chokepoints [the Red Sea, the Persian Gulf and Strait of Hormuz, the Baltic, and the Black Sea] are no longer anomalous. In June 2025, Windward reported that approximately 970 ships per day were experiencing GPS jamming in the Arabian Gulf and Strait of Hormuz across a four-day disruption window. The MSC Antonia grounding near Jeddah in May 2025 gave the problem a sharper operational edge: subsequent maritime intelligence analysis attributed the incident to GPS interference that distorted the vessel’s displayed or reported position. The dual function is the point. These operations probe navigational dependency and fallback capability, and they can manufacture legal or operational ambiguity without ever touching the vessel’s internal network. The selection logic is explicitly geopolitical: which vessels, on which routes, under which flags, are most exposed to navigational manipulation with the least recourse?
- Operator profile and shore-side maturity weigh in wherever adversaries hold any intelligence on the target organisation. Third-party managers running large, heterogeneous fleets across multiple flags are attractive precisely because security standardization is hard to enforce: a manager running 40 vessels across four ship managers, three VSAT providers, and two IBS vendors is a complex, unevenly hardened environment. A patient actor, nation-states have the patience, finds the weakest segment and enters there.
- Connectivity infrastructure is the most tactically decisive criterion, and it turns on a single question: does a shared provider serve the whole fleet? Where it does, provider compromise is operationally equivalent to compromising every vessel at once. The logic Lab Dookhtegan proved against Fanava Group, examined in detail below. Identifying a fleet’s shared provider costs an adversary almost nothing; the payoff is fleet-wide.
- Crew competency signals are an underappreciated dimension of target selection for actors pursuing initial access via the vessel itself rather than via shore-side infrastructure. Vessels operating with minimal dedicated IT personnel, which describes the majority of the global commercial fleet, are structurally reliant on crew members to perform tasks that in a shore environment would be handled by specialists. Chart updates on ECDIS via USB stick, remote diagnostic sessions authorized by an officer with no security training, crew welfare internet traffic running across the same VSAT link as operational systems: these are not hypothetical exposures. They are documented initial access vectors. Mustang Panda’s documented USB-based malware delivery aboard cargo vessels [confirmed by ESET analysis] is the operational expression of this insight.
Access Sequencing
Once a target is selected, the adversary works the access problem. The entry path is not chosen arbitrarily, it follows from the target’s exposure profile, the adversary’s objective, and the relative cost of each vector. Anticipating that logic is what lets a defender predict where pressure lands first.
1 – Shore-side compromise is the preferred path for patient, capability-rich actors, for a structural reason: ship managers, port agents, crewing agencies, classification societies, and technical managers all hold assets that convert directly into vessel access. Specifically, VPN credentials for remote diagnostic platforms, domain accounts reaching fleet management software, SFTP endpoints for chart and software distribution, and mailboxes full of voyage schedules and system configuration data. The adversary who compromises one of these inherits a relationship of implicit trust with the vessel. They are not an external entity probing a boundary, they are a known party whose access is operationally expected. SideWinder’s 2024–2025 campaign shows the reconnaissance depth this requires: lures built around port authority and regulatory correspondence [content demanding real knowledge of how maritime organizations communicate] delivered through CVE-2017-11882 [NVD – cve-2017-11882] in Office Equation Editor and a .NET downloader chain to StealerBot. The vulnerability is old, the targeting knowledge is current. That asymmetry is where these actors live.
For state actors with collection objectives, classification societies are a target in their own right, not a stepping stone. Class records hold construction drawings, system architecture, machinery specifications, and deficiency histories. A fleet-wide technical intelligence baseline that would take years to reconstruct ship by ship. Compromising the document management platform of a classification society can be the objective itself.
2 – VSAT as the initial access surface carries its own logic, evaluated separately from shore-side entry. Pre-exploitation reconnaissance is largely passive and Internet-facing: Shodan and Censys indexing of maritime SATCOM equipment [Cobham SAILOR, Intellian, KVH, Hughes, iDirect] routinely surfaces management interfaces, web UIs, Telnet, and SNMP endpoints on routable addresses, and the firmware versions they disclose can be cross-referenced against vulnerability databases without sending a packet to the target. Factory-default credential reuse is endemic, a meaningful proportion of internet-reachable terminals still answer to default authentication, exposing antenna control units, modem configuration, and routing tables.
The higher-leverage vector [the one Fanava demonstrated] is the provider hub, not the terminal. ST Engineering iDirect NMS (Network Management System) is a single administrative plane spanning an entire fleet: from it, an adversary can enumerate every terminal, push firmware and configuration changes, alter routing, observe or modify transiting traffic, and destroy the Falcon stack on every modem at once. The point defenders consistently miss is that in a hub-and-spoke topology, blast radius is not a property of the vessel’s posture at all. A perfectly hardened ship [current firmware, segmented networks, disciplined crew] is compromised the moment its provider’s NMS is, and nothing it does locally changes that. The terminal is a spoke; spokes inherit the security of the hub, and the hub is someone else’s network. IOActive, Inc. 2014 research framed maritime SATCOM exposure as a terminal problem. A decade later, Fanava reframed it as a management-plane problem, harder to defend and far more valuable to attack. The campaign still turned on outdated, poorly-credentialed iDirect terminals, mapped across months of patient access before the payload fired.
3 – Remote access exploitation is the most underweighted vector in maritime threat models and one of the most structurally exposed. Engine manufacturers, automation vendors, and IBS providers maintain persistent remote access to shipboard OT for diagnostics. Typically a VPN tunnel over the same VSAT link carrying crew welfare traffic, terminating on Windows engineering workstations that straddle the IT/OT boundary. Segmentation between those workstations and PLC-adjacent systems is inconsistent, and frequently absent. The credentials are held by the shore-side vendor and a shipboard point of contact. Usually a chief engineer or ETO with no security training and no way to know their credentials have been harvested. Compromise the vendor’s IT environment, and you inherit authenticated, trusted access to every vessel in its service base, invisibly to the operator. The 2023 DNV ShipManager ransomware incident [roughly 1,000 vessels affected through one platform] is the closest public marker of what this exposure produces at scale.
4 – AI-accelerated access sequencing has changed the economics of the access problem for well-resourced adversaries. The GTG-1002 campaign, disrupted by Anthropic in November 2025 after a September operation against roughly 30 global organizations. It was the first confirmed case of a Chinese state-sponsored actor running an autonomous AI framework through up to 90% of the intrusion lifecycle: reconnaissance, vulnerability identification, lateral movement, privilege escalation, credential harvesting, exfiltration, with humans intervening only at strategic decision points. It used open-source pentest tooling rather than custom malware, defeating signature-based detection, and compressed the gap from initial access to exfiltration to hours. The maritime read-across is direct: a fleet operator’s external surface exposed VSAT management interfaces, fleet portals, VPN endpoints, indexed maritime databases. It’s enumerable by exactly these techniques, in parallel, across an entire operator estate at once. The framework finds the weakest credential, the oldest firmware, the least-monitored access path, and sequences against the highest-probability target faster than a human analyst finishes one reconnaissance pass. Machine-speed access against human-speed detection is not a future concern. It is the current environment.
5 – Crew as the social engineering surface rewards maritime operational knowledge over generic phishing capability. The pretexts that work are operationally specific and time-sensitive by convention: ECDIS chart update packages, port pre-arrival notifications, charterer vetting questionnaires, Class survey scheduling, Flag State inspection notices and the time pressure is the mechanism: an officer who delays creates an operational problem. The ECDIS chart update vector is the cleanest. Updates arrive externally, load via USB or network transfer, and apply without meaningful validation in most workflows; a package that mimics a legitimate provider’s file structure and naming passes visual inspection and lands on the navigational core of the vessel. Mustang Panda’s USB-based delivery against European cargo operators is this logic at fleet scale, and APT41’s maritime-specific targeting [UK, Italian, Spanish, Turkish, Taiwanese, and Thai shipping and logistics firms] confirms the principle: adversaries build maritime-specific lures because they out-perform generic phishing against the same targets.
Persistence and Dwell
Maritime OT environments impose specific technical constraints on adversary persistence that differ materially from shore-side IT environments. Understanding how adversaries adapt to those constraints is prerequisite to building detection that can find them.
1 – Connectivity intermittency shapes C2 architecture. A vessel in open ocean runs on bandwidth-constrained, high-latency VSAT, with high-bandwidth windows only during port calls and [depending on route] stretches of total connectivity loss. An adversary holding a shipboard foothold cannot rely on a persistent synchronous C2 channel, which forces specific design choices: locally resident implants with scheduled or event-triggered beaconing rather than continuous polling, data queued for batch exfiltration during high-bandwidth windows, and persistence state that survives extended offline periods. APT41‘s ShadowPad fits this profile [modular, plugin-based, configurable beacon intervals, no requirement for a live channel to hold the foothold] and its modularity lets operators push capability during connectivity windows rather than landing a full-featured implant at initial access, keeping the early-dwell footprint small. VELVETSHELL, the other APT41 tool seen in maritime deployments, adds process-based detection evasion on the Windows endpoints common in IBS environments.
For implants that need periodic connectivity, port calls are the gift: shore cellular or WiFi supplements VSAT at predictable intervals that align with the vessel’s published AIS schedule. An adversary who has mapped a target’s port rotation [trivially available from AIS and commercial voyage-tracking data] times check-in and exfiltration to port arrival, blending outbound transfers into the elevated connectivity that already characterizes a port call.
2 – Passive enumeration is the adversary’s first move inside the operational network. Modbus TCP, DNP3, and NMEA 0183/2000 dominate vessel automation, and each is a reconnaissance surface. Modbus [still standard on ballast control, fuel management, and machinery monitoring] has no authentication: any device on the segment can issue function code 01 (Read Coils), 03 (Read Holding Registers), or 43 (Read Device Identification) against any reachable PLC and get an answer, no challenge. An adversary who has crossed from IT into the automation network [via a weak VLAN boundary or a dual-homed engineering workstation] can passively enumerate every Modbus device, map register ranges, and reconstruct which PLCs drive which physical processes, generating nothing a signature-based IDS would flag.
NMEA 0183 [serial-lineage, now routinely tunneled over TCP/UDP in modern IBS] has no authentication, no integrity checking, and no way to separate a real sensor reading from an injected one. GPS, AIS, gyrocompass, and echo sounder converge on the ECDIS through a multiplexer: a talker/listener fan-in where every device trusts every sentence on the bus. An adversary on that segment reads the whole navigational stream passively [position, heading, SOG, AIS contacts] and manipulation needs only well-formed sentences, a $GPGGA or $GPRMC with altered fix data and a correct checksum (a trivial XOR of the bytes, not a cryptographic control). The detail worth sitting with: on the wire, an injected sentence and a legitimate one are identical. No field encodes provenance. Detection cannot live at the protocol layer, because the protocol has no concept of authenticity. It has to live in cross-correlation: does the GPS position agree with radar, with the inertial system, with the expected track? That is precisely the layer most installations never instrument. The gap is not an oversight; it is the design assumption of a 1983 protocol built for a trusted serial loop, now carrying safety-critical data on a routable network. NMEA 2000 (CAN-bus derived), Modbus, and DNP3 inherit the same trust-the-bus premise, and retrofitting authenticity is largely impractical. Which is why mature maritime OT defense concentrates on segmentation and traffic-baseline anomaly detection. You are not going to fix NMEA. You are going to watch what speaks it.

3 – The IT/OT boundary is thinner than the network diagram claims. The engineering workstations ETOs and chief engineers use for monitoring and remote diagnostics are Windows boxes bridging the IT VLAN and one or more OT VLANs, running fleet management clients, vendor diagnostic tools, and ECDIS chart management software side by side. A compromised one can yield domain credentials, shore-side VPN credentials, SFTP/FTP keys for chart and software distribution, local auth for PLC web interfaces and HMIs, and SSH keys for Linux automation systems. This is the documented access pattern in multiple confirmed maritime OT compromises, and it is why the engineering workstation is the priority lateral-movement target once an adversary holds the vessel IT network.
4 – Forensic visibility gaps are structural, not incidental. Most commercial vessels run without persistent traffic capture, centralized log aggregation, or SIEM. OT syslog, where configured at all, lands in local storage with short retention; Windows event logs on engineering workstations are not forwarded; VSAT traffic is not captured at the modem. An adversary doing passive OT recon, holding a scheduled-beacon implant, and exfiltrating during port calls leaves no persistent forensic record under normal operating conditions. And does not need to exploit that gap actively, only avoid the few behaviors that trip a local alert, which is easy when the alert surface is minimal. Read in this light, Lab Dookhtegan’s destruction of the Falcon stack and core system data in August 2025 was not forensic denial, the record was already thin. The wipe was operational: it blocked recovery and stretched the disruption by forcing full reinstallation on every vessel. Forensic denial was a side effect.
Fanava makes the sharpest version of the point. The five-month dwell between hub compromise and execution produced no vessel-level indicators, because the foothold never lived on a vessel. It lived in the provider’s management plane. Defenders watching ship systems for IOCs were watching the wrong environment. Management plane and operational plane are forensically distinct, and the adversary chose the one nobody was instrumenting.
Objective Execution
When adversaries move toward their objective, they time it against the vessel’s operational state and the broader geopolitical or operational context.
- Data exfiltration objectives are typically executed during normal operations, when outbound data flows are expected and unlikely to trigger anomaly detection. Cargo manifests, voyage plans, crew records, commercial contracts, and technical documentation are high-value targets for intelligence collection. Mustang Panda’s campaigns against European cargo operators [Norway, Greece, the Netherlands] are consistent with this objective: the targets hold commercial intelligence on cargo flows, counterparty relationships, and trade routes that have strategic value to a state actor mapping global supply chains.
- Disruptive objectives are timed for maximum operational and financial impact. Lab Dookhtegan’s March 2025 attack was explicitly timed to coincide with Operation Rough Rider, the US air campaign against Houthi forces in Yemen, compounding geopolitical pressure on Iran. The August 2025 wave landed amid intensifying US scrutiny and sanctions of Iran’s oil-export and shipping networks, context that amplified the impact of an operation that was already technically effective. Criminal ransomware actors follow a different timing logic: they typically execute payload deployment when the operator is most likely to pay quickly, which often means during port calls, cargo loading/unloading windows, or at the start of a voyage with a time-charter deadline.
- Destructive objectives [the highest-stakes category] include physical manipulation of vessel systems: ballast valve control, propulsion interference, ECDIS chart data manipulation. Cytur’s 2026 maritime cyber reporting placed destroyed equipment, manipulated ECDIS chart data, and ballast-control interference inside the current vessel-risk discussion rather than the purely theoretical category. Public technical detail remains uneven, but the direction of travel is clear: adversary interest is moving closer to the operational systems that convert data trust into physical consequence. These are not conceptual scenarios. An adversary with access to a vessel’s OT network and the patience to understand the system architecture has the technical capability to create conditions that produce physical consequences. The timing logic for destructive execution is typically either maximum isolation (open ocean, minimal rescue capability) or maximum consequence (congested waterway, collision risk).
Defender Implications
The adversary target selection and access logic described above translates into specific defensive posture priorities.
1 – The supply chain is the threat boundary, not the vessel. The Fanava Group compromise is the clearest recent demonstration of this principle. If your VSAT provider, remote monitoring vendor, or technical management platform has access to your vessel systems, their security posture is part of your threat surface. Mapping third-party access paths to OT environments [what credentials exist, what systems they can reach, whether network segmentation exists between their access path and critical OT] is a prerequisite for understanding your actual exposure. Do this work before an adversary does it for you via Shodan.
Fleet defenders should demand security telemetry from providers, not only service availability metrics. For VSAT, remote diagnostics, and fleet management platforms, the relevant questions are not limited to uptime and SLA compliance. They are: who authenticated to the management plane, from where, against which terminals, with what privilege, and what configuration or firmware actions were performed? If the operator cannot receive or audit that telemetry, provider compromise remains invisible until operational impact reaches the vessel.
2 – Flag state and regulatory posture create detection asymmetry. Vessels flagged under weak inspection jurisdictions face lower detection probability for adversary access attempts, which makes them more attractive initial access targets within a mixed-flag fleet. If you operate a heterogeneous fleet, your threat hunting priority should account for the security posture variance across that fleet, not assume uniform hardening.
3 – OSINT reveals your exposure before you do. The combination of AIS data (vessel position, flag, destination, operator), Shodan enumeration (VSAT terminal make, model, firmware, exposed management interfaces), maritime databases (cargo type, charter party history, commercial relationships), and dark web marketplace data (voyage logs, cargo manifests, crew records already sold) gives a capable adversary substantial target intelligence without touching your systems. Run this reconnaissance against yourself. Understand what an adversary with no access can already see about your vessels and your fleet.
4 – Crew social engineering surfaces require operational context-aware training. Generic phishing awareness training does not address the specific pretexts adversaries use in maritime environments. ECDIS chart update requests, port authority clearance documentation, customs and charter correspondence. These require training that models maritime-specific attack scenarios, not generic enterprise phishing examples. If your crew security awareness program looks like it was built for a bank’s employees, it is not fit for purpose.
5 – Persistence in OT environments is quiet. An adversary who has compromised a vessel’s operational network and is conducting passive reconnaissance will not generate alerts. They will observe. Detection requires active threat hunting against the OT environment, looking for unexpected device enumeration, anomalous inter-system communication, lateral movement between IT and OT network segments, rather than relying on signature-based alerting. In most vessel environments, this hunting capability does not exist. Building it requires starting with network visibility: if you cannot see OT traffic, you cannot hunt through it.
6 – AI-accelerated adversary reconnaissance has collapsed the targeting timeline. The GTG-1002 model [autonomous vulnerability discovery, parallel target assessment, machine-speed lateral movement] is not confined to the sectors it first targeted. The same framework applies to any environment where adversaries can enumerate exposed services, test credentials, and identify OT network adjacency via internet-facing infrastructure. Maritime environments, with their high density of internet-exposed VSAT terminals, remote access platforms, and legacy OT systems, are a near-ideal application surface. The defensive implication is that exposure management [knowing what is visible and accessible from the internet, and closing or monitoring those surfaces] is now a time-critical function, not a periodic audit task. An adversary with AI-assisted reconnaissance capability can characterize your external attack surface faster than a quarterly review cycle can respond to it.
7 – Timing of execution is an intelligence problem, not just a detection problem. Adversaries time their execution against geopolitical events, operational windows, and financial pressure points. This means threat intelligence that tracks geopolitical developments affecting your trade routes and flag states is operationally relevant, not an abstract strategic concern. An operator whose vessels regularly transit Iranian-contested waters or Baltic chokepoints should have geopolitical risk integrated into their maritime security threat model, because the adversaries operating in those spaces demonstrably do.
Sources & further reading
Lab Dookhtegan / Fanava Group compromise
- Cydome, “Lab Dookhtegan Cyberattack – Second Wave Findings (Aug 2025)” – cydome.io
- Industrial Cyber, “Lab Dookhtegan cyberattack on Iranian oil tankers traced to supply chain compromise of Fanava’s infrastructure” (2 Sep 2025)
- Iran International, “Hackers disrupt communications of dozens of Iranian oil and cargo ships” (Aug 2025)
- The Maritime Executive, “Hackers Disable Iranian Merchant Shipping Communications” (24 Aug 2025)
- CIMSEC, “The Unwitting Fleet” (2026)
GTG-1002 – AI-orchestrated campaign
- Anthropic, “Disrupting the first reported AI-orchestrated cyber espionage campaign” (Nov 2025) – primary report
- The Hacker News, “Chinese Hackers Use Anthropic’s AI to Launch Automated Cyber Espionage Campaign” (15 Nov 2025)
- Horizon3.ai, “The First AI State-Sponsored Attack: What It Means for Defenders”
GPS spoofing – MSC Antonia and Strait of Hormuz
- Inside GNSS, “MSC Antonia Grounding in the Red Sea Attributed to Suspected GNSS Spoofing” (15 May 2025)
- gCaptain, “Pole Star Confirms GPS Interference Caused MSC Antonia Grounding” (15 May 2025)
- The Maritime Executive, “Constant GPS Jamming Disrupts Navigation in Strait of Hormuz” (26 Jun 2025)
- Scientific American, “GPS spoofing is scrambling ships in the Strait of Hormuz”
- Windward, Q1 2025 maritime risk reporting (via above)
SideWinder APT
- Kaspersky Securelist, “SideWinder APT attacks in H2 2024” (Mar 2025)
- The Hacker News, “SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa” (Mar 2025)
- BlackBerry Threat Research, maritime targeting analysis (Jul 2024)
Mustang Panda
- ESET, “APT Activity Report Q4 2024–Q1 2025” – welivesecurity.com
- The Maritime Executive / SAFETY4SEA, “China-linked cyber espionage group targets commercial shipping companies” (ESET, May 2024)
APT41, APT28, Crimson Sandstorm
- SecurityWeek, “Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors, Mandiant Warns” (Jul 2024)
- Cyble, “Cyber Threats Surge Against Maritime Industry in 2025” (Jul 2025)
DNV ShipManager
- SecurityWeek, “Ransomware Attack on DNV Ship Management Software Impacts 1,000 Vessels” (Jan 2023)
- TechCrunch, “Maritime giant DNV says 1,000 ships affected by ransomware attack” (Jan 2023)
Maritime OT threat landscape – ECDIS, ballast, statistics
- Cytur, “2026 Maritime Cyber Threat White Paper” (via The Maritime Executive and SAFETY4SEA, Feb 2026)
- Industrial Cyber, “Cydome report finds 150% surge in maritime OT cyberattacks as ransomware tightens grip in 2025” (Mar 2026)
Foundational SATCOM security research
- IOActive (Ruben Santamarta), “A Wake-up Call for SATCOM Security” (Black Hat, 2014)
Maritime Threat Craft is an independent LinkedIn article series written for maritime IT/OT security practitioners. Series identity: Adversary Thinking for Maritime Defenders. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in Maritime Cyber Risk.
Revised: May 2026 – updated to incorporate GPS spoofing at operational scale (MSC Antonia, Persian Gulf 2025), GTG-1002 AI-autonomous access sequencing, and confirmed Fanava Group supply-chain forensic analysis.