Maritime Cyber Threat Briefing #7
What if the most effective way to compromise a fleet is not to target a vessel at all?
For most of maritime cyber security’s relatively short history, the threat conversation has been vessel-centric. Hardening the bridge. Securing the ECDIS. Segmenting the OT network. Protecting navigation systems from GPS spoofing. Training the crew not to plug-in an unverified USB drive.
These concerns remain valid. But in 2025, a structural shift in attacker methodology changed the terms of the problem in a way the industry has not yet fully absorbed.
The most consequential maritime cyber incidents of the past eighteen months did not begin aboard a vessel. They began in the supply chains that serve vessels: the OEM manufacturers, the satellite communications providers, the fleet management software platforms, and the procurement systems on which ship operators depend every day. A single compromise at the right node in that supply chain can now disable dozens of ships simultaneously, disrupt maintenance and safety updates across global fleets, and expose the personal and commercial data of thousands of people. Without an attacker ever needing to target a vessel directly.
This is the defining shift in maritime cyber risk in 2026:
The weakest link is no longer necessarily the ship. It is the systems every ship trusts, but does not control.
The Logic of Supply Chain Targeting

To understand why supply chain attacks have become the preferred approach against maritime targets, it helps to think like an attacker.
Targeting an individual vessel is operationally intensive. It requires sustained access, an understanding of that specific vessel’s systems architecture, and the ability to maintain persistence aboard a platform that may be at sea for weeks at a time, with limited connectivity and an IT environment that changes as crew rotates. The potential yield, disrupting one ship is relatively modest.
Targeting the OEM that manufactures navigation and radar equipment for two thousand vessels is an entirely different proposition. Compromise that supplier’s update infrastructure, and the malicious payload propagates automatically to every vessel running that software. Compromise the satellite communications provider that serves a state-owned tanker fleet, and you can sever ship-to-shore links across the entire fleet in a single operation. Compromise the fleet management software platform used by a major ship manager, and you gain simultaneous visibility and potentially leverage. Over hundreds of vessels, their maintenance records, crew data, and commercial operations.
Instead of targeting individual vessels, attackers are focusing on choke points in the supply chain, telecommunications providers and OEM equipment manufacturers. With the tactic of paralyzing an entire fleet by infiltrating a single provider becoming increasingly common.
This is no longer theoretical. It is documented operational practice, with multiple confirmed incidents across 2025 and 2026.

This model mirrors supply chain attacks seen in other sectors, such as the SolarWinds compromise, where a single trusted update channel became the delivery mechanism for widespread intrusion.
This is not a niche maritime issue, this is how modern cyber warfare works.
The Incident Record: Three Case Studies
Case Study 1: Lab Dookhtegan and the VSAT Supply Chain Attack
The Lab Dookhtegan attack on Iranian tonnage in 2025 demonstrated supply chain methodology at its most precise. The threat group systematically targeted Fanava Satellite, an Iranian satellite communications provider, to conduct an attack high up the digital supply chain for Iran’s state-owned tanker fleet. After penetrating Fanava, Lab Dookhtegan obtained fleet-wide control over ship-to-shore VOIP services, making it harder for vessels to communicate with the home office or port officials. While in possession of access to the ships’ networks, the group stole corporate documents belonging to Iranian state firms NITC and IRISL, then released them online. When finished, it destroyed the ships’ modems by overwriting partitioned memory, requiring physical replacement of hardware across the fleet.
Two points about this incident deserve emphasis. First, the attacker never needed to board a single vessel, or establish direct access to any shipboard system. Controlling the communications provider was sufficient. Second, the attack was not purely destructive, it combined intelligence collection, document exfiltration, public exposure of sensitive corporate data, and physical hardware destruction in a single operation. This is the signature of a sophisticated, resourced threat actor using maritime supply chain access as a multi-purpose instrument.
Case Study 2: The Furuno Ransomware Attack
In October 2025, Japanese radar and ECDIS builder Furuno Electric Co., Ltd was hit by ransomware deployed by the Rhysida threat group. The attackers stole Furuno’s internal data, threatened to release it, encrypted the firm’s data, disabled backup servers, and demanded payment. The attack temporarily disrupted service, software updates, and parts shipments for Furuno’s global customer base.
The significance of this incident extends beyond the immediate disruption to Furuno’s operations. Furuno manufactures navigation and radar equipment installed on vessels across the global fleet. When its update infrastructure was disabled and parts shipments were suspended, the cascading effect was a degradation of safety-critical maintenance capability across thousands of ships that had nothing to do with Furuno’s own security posture. Their OEM was the entry point, and they bore the consequence.
This is the mechanism that makes supply chain attacks so strategically efficient: the compromised entity and the entities that suffer operational impact are not the same. The attacker targets the supplier. The damage lands on the customer.
Case Study 3: NYK’s Bunker Fuel Procurement Breach
Earlier this month, Japanese shipping group NYK Line disclosed that its marine fuel procurement system had been accessed without authorisation by a third party. Detected on the afternoon of March 24, 2026, the breach resulted in certain data, including personal information being accessed and exfiltrated. The company immediately isolated the system from the network and suspended its use.
The data potentially exposed included names, company names, phone numbers, and email addresses of current and former employees and business partners. NYK reported the incident to Japan’s data protection authority and confirmed no ransomware or financial demand had been identified.
What makes the NYK incident relevant to the supply chain discussion is the system that was targeted. A bunker fuel procurement platform sits at the intersection of vessel operations, commercial counterparties, and logistics planning. The supplier contacts, port agent details, and broker relationships held within such a system represent a rich target for reconnaissance enabling follow-on social engineering attacks against other organizations in the maritime supply chain. The breach of one company’s procurement system becomes the intelligence preparation for the next company’s attack.
The Threat Architecture: How Maritime Supply Chains Are Exploited
These three incidents represent three different points of entry into the maritime supply chain, but they share a common underlying vulnerability: the industry’s supply chain was not designed with security as a foundational requirement.
Attackers exploit vulnerabilities in the supply chains of the numerous software and equipment installed on vessels, capable of simultaneously disabling dozens of ships through a single breach. Satellite communications and asset spoofing threats targeting maritime communication infrastructure directly have also surfaced, with attackers exploiting security vulnerabilities in satellite communication links to transmit false commands or forge vessel asset information.
Several structural factors make maritime supply chains particularly exposed.
- Remote access as a standard maintenance model. OEM troubleshooting teams routinely connect remotely to shipboard systems to diagnose faults, push updates, and make configuration changes. The remote access communications protocols built into equipment electronics used by OEM troubleshooting teams to remotely diagnose errors and make changes, remain a significant vulnerability. If an attacker could remotely control engine output or ballasting through these pathways, the results could be catastrophic. These remote access channels represent persistent, privileged connections between shore-based systems and shipboard OT. Connections that ship operators often have limited visibility into and limited ability to monitor.
- Software update pathways as attack vectors. Supply chain attacks involving the planting of malware into update servers or management tools have the highest potential impact because a single breach can simultaneously distribute malicious code to tens of thousands of vessels worldwide that utilise the compromised software. As autonomous navigation and remote maintenance technologies advance, these “trusted” update pathways have become among the most dangerous attack vectors in the maritime domain. The industry’s reliance on remote software updates, a practice that reduces cost and port time, has created a network of trusted pathways that attackers are systematically mapping.
- Dark web intelligence markets. Illicit items found for sale online include voyage logs, cargo manifests, ship design schematics, and the personal information of crew. Common ransomware attacks involve encrypting the ship’s Planned Maintenance System, forcing the operator to pay to recover the voyage’s logs. The commodification of maritime data on criminal forums means that compromised procurement systems, leaked employee directories, and exfiltrated commercial records do not remain confined to a single incident. They become the raw material for subsequent targeted attacks against the broader maritime supply chain.
Operational Impact: What Supply Chain Compromise Actually Means
The consequences of maritime supply chain attacks are qualitatively different from those of vessel-specific attacks, and they need to be understood in those terms.
When an OEM is compromised, the immediate impact falls on that company. But the downstream impact: delayed maintenance, suspended safety updates, disrupted parts supply, falls on every operator using that equipment. A ship manager whose ECDIS software update has been withheld because the manufacturer’s update server was taken offline by ransomware is exposed to navigational risk through no action or inaction of their own. Their security posture is partly a function of their OEM’s security posture. A dependency they may not even have formally assessed.
When a satellite communications provider is compromised, the ship-to-shore connectivity that underlies fleet management, emergency coordination, port state control communications, and crew welfare is disrupted across every vessel on that network simultaneously. The vessel at sea has no alternative pathway. The master has no means to escalate to shore-based management. The commercial operations team has no visibility over the fleet. A single provider-level compromise translates directly into an operational crisis at fleet scale.
When a procurement or fleet management platform is breached, the exposure extends beyond the immediate data loss. Supply chain intelligence: who the company’s fuel suppliers are, which ports they frequent, which agents they use, which vessels are carrying which cargo. It becomes available to threat actors whose next objective may be physical, financial, or reputational targeting of the company’s commercial partners.
Mitigation: Rethinking the Perimeter

The supply chain threat requires a fundamental expansion of how maritime operators define their security perimeter. The vessel’s network is no longer the boundary of responsibility. It is a node within a much larger ecosystem, and that ecosystem requires security governance.
- Vendor and supplier security assessment. Ship owners and managers must begin treating the cyber security practices of their critical suppliers as a risk management obligation, not an assumption. OEMs, software providers, satellite communications companies, and fleet management platform operators should be subject to formal security assessments, contractual security requirements, and periodic review. The questions to ask are specific: What is the vendor’s patch management cycle? How do they manage remote access credentials to shipboard systems? Do they operate a software bill of materials? What is their incident response and customer notification procedure?
- Software Bill of Materials awareness. The concept of a Software Bill of Materials, a comprehensive inventory of software components installed on a system, including third-party dependencies is increasingly required under IACS UR E27 for onboard systems. Ship operators should demand SBOMs from their OEMs and software providers and use them as the basis for vulnerability management. If a component in the supply chain is compromised, an SBOM enables rapid identification of which vessels and systems are affected.
- Controlled remote access architecture. Remote access pathways from OEMs and service providers into shipboard systems should be explicitly governed. Not assumed to be secure by virtue of being established by a trusted vendor. Access should be session-based, logged, and terminable by the ship operator. Standing persistent access that cannot be monitored or revoked represents an unacceptable risk in the current threat environment.
- Procurement and commercial systems as cyber assets. The NYK incident is a reminder that cyber risk extends beyond the vessel and the fleet management platform into the commercial systems that connect the organisation to its supply chain. Bunker procurement systems, cargo management platforms, port agency communications, these systems hold data that has operational and intelligence value to threat actors. They require the same security governance as operational systems.
- Incident response planning for supply chain failure. Ship operators need contingency plans that address the specific scenario of a critical supplier being compromised. What is the fallback if the ECDIS software update service is unavailable? What is the procedure if the satellite communications provider experiences a service disruption due to a cyber incident? These scenarios should be included in tabletop exercises alongside vessel-specific attack scenarios.
Regulatory Considerations
The regulatory framework is beginning to catch up with the supply chain risk, but implementation is uneven.
- IACS UR E27, which applies to onboard equipment and systems in newbuilds contracted from January 2024, explicitly requires manufacturers to embed security throughout the product development lifecycle and provide SBOMs as part of their security documentation. This is a significant step, it places a formal security obligation on OEMs, not just on ship owners. However, its scope is limited to newbuilds, and the vast majority of the current world fleet predates these requirements.
- IMO MSC-FAL.1/Circ.3 guidance on maritime cyber risk management requires that cyber risk, including risks from third-party systems and service providers, be addressed within the vessel’s Safety Management System. This provides a framework for documenting supply chain dependencies, but the depth of assessment varies significantly across operators and flag state interpretations.
- NIS2, applicable across EU member states, is the most explicit regulatory instrument in addressing supply chain cyber security for essential service operators. Its requirements include security measures for supply chains and supplier relationships, and mandatory incident reporting within 24 hours of a significant incident. A requirement directly relevant to events like the NYK breach, which affected business partners across multiple jurisdictions.
From 2026, vessels that cannot demonstrate compliance with the full range of applicable cyber security requirements face real operational consequences, including inability to obtain class certification and denial of port entry. Making supply chain security a delivery condition, not a discretionary investment.

The maritime cyber threat has evolved. The vessel remains a target, but it is no longer the primary point of entry for the most sophisticated and most damaging attacks against the industry. Attackers have identified that the maritime supply chain, the OEMs, the communications providers, the software platforms, the procurement systems offers higher leverage, broader impact, and in many cases weaker defenses than the vessels themselves.
The industry’s response to this evolution needs to match its scale. Security governance that stops at the vessel’s network boundary is no longer sufficient. Every critical supplier, every remote access pathway, every software update channel, and every commercial platform that connects the operator to its supply chain now sits within the security perimeter that must be managed.
The question ship owners and managers need to ask is not only “how secure are our vessels?” It is: “how secure is everything our vessels depend on, and do we even know what that is?”
In the current threat environment, the answer to the second part of that question is often no. That needs to change.
The next maritime cyber incident is unlikely to begin at sea.
Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.