Maritime Cyber Threat Briefing #4
Modern shipping runs on connectivity. Satellite communications are the nervous system of the contemporary fleet linking vessels to shore-based management, enabling remote diagnostics, supporting crew welfare, feeding real-time data into fleet management platforms, and underpinning the navigation and safety systems that keep ships and seafarers safe.
A vessel can be physically secure at sea and still be digitally exposed through its satellite link.
That dependency is precisely what makes VSAT infrastructure the most consequential and most persistently exploited attack surface in maritime cyber security. Attackers have recognised this. The incidents of the past two years have demonstrated at scale that satellite communications are vulnerable across multiple attack dimensions. The consequences when they are compromised extend well beyond data loss.
The Real Weaknesses: Why VSAT Is Structurally Exposed
Understanding why maritime satellite communications are targeted requires understanding the specific technical weaknesses that make exploitation accessible to a wide range of threat actors.
- Default credentials. VSAT terminals are shipped with factory-set usernames and passwords that are publicly documented in vendor manuals and in many cases, never changed. The default credentials for widely deployed maritime VSAT terminals are readily discoverable online, with terminals from major vendors accessible to anyone who searches the right query and attempts standard factory login combinations. For an attacker, this requires no technical sophistication. It requires a search engine and patience.
- Exposed management interfaces. VSAT terminal management interfaces are in many cases reachable directly from the public internet. Tools such as Shodan allow systematic scanning for exposed maritime satellite systems by vessel name, terminal type, and geographic position. Attackers search for open ports in telecom equipment in order to penetrate the vessel’s IT network with VSAT terminals exploitable via insecure passwords, open ports, and unpatched firmware, subsequently providing access to the vessel’s broader OT network.
- Outdated firmware. VSAT terminals are embedded systems operating in remote, bandwidth-constrained environments, often maintained by crews without dedicated IT support. Firmware update cycles are inconsistent, vendor patch communications are not always acted upon, and end-of-life hardware running unsupported software remains in active service across significant portions of the global fleet. Known vulnerabilities “CVE-2022-22707“, “CVE-2019-11072”, and “CVE-2018-19052” affect the “COBHAM SAILOR 900 VSAT” High Power web server which is one of the most widely deployed satellite terminal platforms in commercial shipping. Still remains present in unpatched environments.
- Poor network segmentation. The satellite link aboard a modern vessel carries crew internet traffic, fleet management data, remote maintenance sessions, software update channels. In many configurations provides the communication pathway for remote access to navigation and engineering systems all traversing the same network infrastructure. When the VSAT terminal is compromised, the absence of meaningful segmentation means the attacker’s reach extends far beyond communications.
Real Attack Scenarios: How VSAT Exploitation Unfolds in Practice

These weaknesses are not theoretical. Each maps directly to documented attack techniques with real operational consequences.
- Scenario 1 — Interception of unencrypted traffic. Researchers from University of Oxford demonstrated the ability to intercept and modify maritime VSAT connections using standard satellite television equipment. The cost was less than $400 less than 1% of the cost of “state of the art” alternatives, conducting experimental analysis across more than 1.3 terabytes of real-world maritime VSAT recordings covering 26 million square kilometers of service area. The data recovered included navigational charts, crew passport details, credit card information, and internal corporate communications from some of the world’s largest maritime operators. A separate research team scanning geostationary satellites using a commercial dish mounted on a university rooftop recovered private voice calls, text messages, and internal corporate and government communications transmitted with no encryption whatsoever. The findings were reported as “shockingly large” in scale. Unencrypted VSAT traffic is not a theoretical risk. It is a documented, reproducible, and operationally significant exposure.
- Scenario 2 — Remote access via compromised terminal. Once a VSAT terminal management interface is accessed, whether through default credentials, brute force, or firmware exploitation, the attacker gains an authenticated foothold on the vessel’s network. A compromised VSAT system enables an attacker to view call logs, upload firmware, modify system settings, and use the satellite terminal as a gateway to gain access to any vessel’s broader onboard network. From that position, the attacker can deploy persistent implants, conduct lateral reconnaissance, and maintain long-term access entirely through the satellite link. No physical presence aboard the vessel required.
- Scenario 3 — Pivoting into the ship’s network. The satellite terminal is the entry point, not the destination. Research demonstrated a ‘man on the side” attack where a connection initiated from a terrestrial host to a service on a vessel can be hijacked by an attacker with the ability to observe VSAT traffic. This enables denial of service for connections to the vessel, or in more advanced attacks, injection of false content and spoofed responses including false navigational status information. On vessels where IT and OT networks share infrastructure or are inadequately segmented, a terminal-level compromise provides a pathway toward navigation systems, engine management, ballast controls, and cargo handling platforms. Compromised OT systems can manipulate chart data, distort positioning information, or interfere with propulsion and stability controls. Scenarios that move beyond financial loss and into physical maritime risk.
- Scenario 4 — Disruption and destruction of communications. The most operationally severe attack scenario involves deliberate disruption or destruction of satellite communications capability. The “Lab Dookhtegan Group” disconnected 116 tankers from the internet by targeting the network edge of their satellite connectivity provider, erasing VSAT partitions on ship hard drives and cutting off all communications including ship-to-shore voice over IP. The attack did not encrypt data and demand ransom. It overwrote firmware partitions and permanently bricked hardware. Physical modem replacement aboard each affected vessel was required a recovery process measured in days or weeks, not hours.
The Supply Chain Dimension: One Vendor, an Entire Fleet

The most strategically significant characteristic of VSAT-based attacks is their scalability through the supply chain. Maritime satellite communications are delivered through managed service providers with centralized management platforms, shared software infrastructure, and aggregated access to multiple fleet operators simultaneously. A single well-placed compromise does not affect one vessel. It potentially affects every vessel in that provider’s managed estate.
Weaknesses in satellite communication management software can create a single point of failure, enabling attackers to disrupt communications across multiple vessels simultaneously. It was demonstrated by coordinated attacks in 2025 that paralyzed communications on more than 100 ships, severing ship-to-shore connectivity and halting operational reporting across two waves of attacks.
The mechanism was explicit: the attackers gained their initial foothold not by targeting individual vessels, but by first compromising Fanava Group [an Iranian IT vendor] providing satellite communications services to multiple shipping companies, before using that access to reach vessel systems fleet-wide.
This supply chain attack model represents a fundamental shift in the economics of maritime cyber exploitation. Rather than conducting individual vessel compromises one at a time, an attacker who successfully targets a satellite service provider inherits privileged access to the management interfaces of every vessel in that provider’s portfolio simultaneously. The attack cost remains roughly constant while the impact scales with the provider’s fleet size.
By implanting malware into update servers or management tools, threat actors can distribute malicious code simultaneously to tens of thousands of vessels, with autonomous navigation and remote maintenance technologies making trusted update pathways particularly dangerous. The result is massive chain reactions of damage across fleets and organizations worldwide.
The risk implication is direct:
Your VSAT provider’s security posture is your security posture.
If their management infrastructure is compromised, the security controls aboard your vessels may be irrelevant.
The Kinetic Connection: From VSAT Compromise to Physical Targeting
The consequences of VSAT exploitation do not end with communications disruption or network intrusion. In the current operational environment, satellite communications compromise feeds directly into targeting intelligence that supports physical attacks against vessels.
As documented in earlier briefings in this series, Iran-linked cyber actors used AIS positional data, transmitted and collected via satellite-connected systems to map the movements of specific commercial vessels in the Red Sea. Within days of that collection activity, those vessels were targeted in missile strike attempts by Houthi forces. The cyber collection preceded and likely informed the kinetic action.
The convergence is direct: VSAT links carry AIS data feeds, vessel position reports, voyage plans, and cargo manifests. A threat actor with access to satellite communications infrastructure, whether through direct terminal compromise, traffic interception, or supply chain exploitation has access to real-time intelligence. Specifically, vessel movements, cargoes, and operational status. That intelligence has proven operational value not only for espionage and commercial theft but for physical targeting in an active conflict environment.
Threat actors are expected to increasingly attempt to manipulate AIS data and exploit satellite command and control systems to coordinate real-world missile strikes. This convergence of command-and-control manipulation and physical attacks represents an evolving pattern of cyber-physical operations, where digital breaches can directly enable physical destruction.
The implications for vessel operators transiting conflict-affected waters are significant. VSAT security is not solely a cyber risk management consideration. In the current threat environment, it is a navigational safety and crew protection imperative.
As autonomy and remote operations increase, satellite communications will become not just a support system but a control channel.
What Operators Must Address
- Conduct a VSAT firmware and credential audit across the entire fleet. Every terminal must be checked against current vendor firmware advisories. Default credentials must be replaced without exception. Management interfaces must not be reachable from the public internet without authentication controls in place.
- Treat your satellite service provider as a supply chain risk. Request information about their security architecture, access controls, incident response capability, and whether they have conducted independent security assessments of their management infrastructure. A provider unable or unwilling to answer these questions warrants escalated scrutiny.
- Implement meaningful network segmentation between the VSAT link and OT systems. Crew internet traffic, fleet management data, and navigation or engineering system communications must traverse segregated network paths. The satellite terminal should not be a direct bridge to bridge systems or engineering networks.
- Enforce encrypted communications protocols across all VSAT traffic. Unencrypted application-layer communications over satellite links are interceptable with commercially available equipment. TLS must be enforced for all management interfaces, email, and fleet data transmissions. End-to-end encryption cannot be assumed from the satellite provider, it must be verified and enforced at the application level.
- Plan and test operations without satellite communications. Documented, exercised procedures for operating without VSAT connectivity must exist aboard every vessel. The 2025 attacks demonstrated that restoration is not always swift and that in cases of hardware destruction, recovery requires physical intervention that cannot be expedited remotely.
Regulatory Context
IACS Unified Requirements E26 and E27 establish specific cyber resilience requirements for communication systems and the IT/OT interface on vessels contracted from July 2024. The US Coast Guard’s 2025 cybersecurity rule introduces mandatory incident reporting obligations for vessel operators in US waters. International Maritime Organization MSC-FAL.1/Circ.3 requires cyber risks associated with communication systems to be identified, assessed, and managed within Safety Management Systems.

For classification society compliance, vessels must now demonstrate that VSAT and communication infrastructure has been assessed within the ship’s cyber risk management framework, Not as a peripheral IT matter, but as a core element of operational safety.

Satellite communications sit at the intersection of every major maritime cyber risk vector identified in this briefing series: they are the pathway through which AIS data is collected and transmitted, the infrastructure through which shore-based management accesses vessel systems, the link through which supply chain attacks cascade fleet-wide, and the communications layer whose disruption causes immediate operational consequences at sea.
The weaknesses are structural, well-documented, and in many cases trivially exploitable. Default credentials, exposed management interfaces, outdated firmware, and absent network segmentation are not edge-case vulnerabilities. They are the baseline condition of satellite communications security across a significant portion of the global commercial fleet.
In 2025 and into 2026, adversaries [state-sponsored], hacktivist, and financially motivated have demonstrated both the capability and the intent to exploit those weaknesses at scale. The consequence spectrum runs from intercepted cargo manifests to physically destroyed hardware aboard vessels at sea. The satellite link that connects your fleet to the world is also the channel through which the world’s most capable threat actors are attempting to reach it.
Securing that channel is not optional. It is the foundation of maritime cyber resilience.
Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.