You are currently viewing Port Infrastructure Under Attack: When the Terminal Goes Dark

Port Infrastructure Under Attack: When the Terminal Goes Dark

Maritime Cyber Threat Briefing #10

Article content
One Port Compromise Can Cascade Across the Supply Chain

A port is not simply a place where ships berth and cargo changes hands. It is a node in a global logistics network through which approximately 80 percent of world trade flows. It is an energy distribution hub, a customs clearance gateway, a military logistics chokepoint, and an economic multiplier for the region it serves. When a port stops working, the consequences do not stay inside the perimeter fence.

A disruption in one system can quickly cascade across port operations, industrial partners, and inland transport networks. Threats are becoming more targeted and sophisticated, often with geopolitical drivers. The evidence for this is no longer theoretical. It is documented across more than a decade of escalating incidents. From the “NotPetya attack” that brought APM Terminals to a standstill across 76 ports in 2017, to the coordinated ransomware campaign that paralyzed 17 European oil terminals in January 2022, to the cyberattack on DP World Australia in November 2023 that stranded 30,000 shipping containers and triggered a nationally significant incident response. Navatom

Large-scale port terminals are now prime targets for ransomware. Attackers encrypt Terminal Operating Systems to completely halt container loading and unloading operations, subsequently demanding exorbitant ransoms. When hacktivists or criminal organisations paralyse cargo handling systems and logistics data, container operations grind to a halt, forcing vessels in nearby waters to wait indefinitely. Such attacks transcend the damage of a single port, triggering bottlenecks in the global supply chain and causing immediate chaos in the global economy, including spikes in oil prices and inflation. Staunch Technologies

This briefing examines the evolving threat to global port infrastructure, the documented incident record, the specific threat actors now targeting maritime logistics, and the mitigation and governance frameworks the industry needs to apply.


The Digital Port: A Complex and Expanding Attack Surface

Article content
From Breach to Bottleneck Across the Supply Chain

The modern port is one of the most digitally complex environments in any critical infrastructure sector. Vessel traffic management systems coordinate movements across the approach channels. Terminal operating systems direct crane sequencing, berth allocation, yard planning, and gate operations. Cargo management platforms process customs declarations, dangerous goods manifests, and logistics documentation. Industrial control systems manage fuel storage, pipeline operations, refrigerated container power, and electrical distribution. Port community systems connect all of these to shipping agents, freight forwarders, trucking companies, customs authorities, and financial institutions.

Escalating digitisation across global seaports has transformed cyber risk from a siloed operational concern into a systemic, ecosystem-wide vulnerability. Attackers exploit the lateral movement potential between terminals, logistics partners, and inland transport networks. Shipping Telegraph

This connectivity [the very feature that makes modern ports efficient] is precisely what makes them strategically attractive to attackers. A single point of entry into a well-connected port environment can provide access to dozens of downstream organisations. As documented in Briefing #7, the supply-chain attack model targets shared infrastructure nodes because one compromise can cascade across many dependent organizations simultaneously. The same logic that made OEM and communications-provider targeting so effective against vessel fleets applies with equal force to the shared port community systems on which terminals, agents, customs authorities, and logistics operators all depend. A ransomware payload deployed against a terminal operating system does not only disable crane scheduling. It removes the data layer on which every subsequent logistics decision in the port ecosystem depends: vessel scheduling, truck slot allocation, customs release, cargo positioning, dangerous goods segregation. The terminal goes dark, and everything connected to it goes dark with it.

Using 112 incidents from the Maritime Cyber Attack Database covering 2020 to 2025, researchers identified a 150 percent rise in incidents, with OT compromise identified as the paramount threat at a risk score of 98 out of 100. State-sponsored actors linked to Russia, China, and Iran are associated with many of the highest-impact attacks in the current incident record. SAFETY4SEA


The Incident Record: Three Case Studies in Port Disruption

Case Study 1: NotPetya and APM Terminals – The Blueprint (June 2017)

Article content
One Malware Strain. Terminal Operations Worldwide.

The NotPetya attack of June 2017 remains the defining reference point for port infrastructure cyber risk. Not because it was specifically aimed at ports, but because of what it revealed about the consequences when an interconnected global maritime operator loses its IT infrastructure simultaneously across all jurisdictions.

It took ten days for A.P. Moller – Maersk to rebuild its network. The company replaced 4,000 servers and 45,000 computers. The biggest cost, as Maersk’s chairman stated at the World Economic Forum, came in lost business. All told, the NotPetya attack cost Maersk an estimated USD 300 million. NotPetya crippled Maersk’s operations across 130 countries, shutting down ports and terminals simultaneously. Maersk’s interconnected IT infrastructure meant one compromised system could spread the malware across the entire global network. Business Upturn NPR

The APM Terminal at the Port of Los Angeles [the port’s largest cargo terminal] was shut down for three days before reopening. The White House subsequently attributed NotPetya to Russian state-sponsored actors. The Hacker News

The operational mechanism that made NotPetya so devastating was not its sophistication in targeting ports. It was the absence of network segmentation between Maersk’s administrative IT and its operational terminal infrastructure. The malware entered through an accounting software update in Ukraine and found no meaningful barrier between the point of infection and the systems controlling terminal operations globally. One compromised node. One hundred and thirty countries. Ten days of recovery.

Case Study 2: The January 2022 European Oil Terminal Attack: State-Linked Ransomware at Scale

Article content
State-Linked Ransomware Can Paralyse Energy Logistics at Scale

In January 2022, a coordinated ransomware campaign struck oil storage and terminal operations across Belgium, the Netherlands, and Germany with a precision and scale that had not previously been documented against European port infrastructure.

The attack affected a total of 17 terminals, 11 in Germany and six across the Amsterdam-Rotterdam-Antwerp hub. Sources described the attack as causing “massive issues” in Antwerp, where loading operations were affected across all products. Many tankers were unable to load, as loading and unloading at tank farms is largely an automated process dependent on the compromised systems. A significant amount of rerouting occurred as barges were diverted to other terminals across the region. IBM

Ghent-based SEA-invest, which operates terminals in 24 ports across eight countries and handles more than 150 million tonnes of goods annually, confirmed that attackers crippled its networks on the night of 30 January with ransomware. Loading and unloading activities at the Belgian New Fruit Wharf in Antwerp had been difficult since the previous Sunday, with activities on the dock practically paralysed. Gopher

Investigations by the Antwerp public prosecutors’ office confirmed the criminal dimension of the attacks. Germany’s Federal Office for Information Security (BSI) attributed the attacks on German terminals to the state-linked BlackCat ransomware group. The Conti ransomware group, subsequently disbanded but identified by investigators at the time as state-linked, was attributed responsibility for the attack on Sea-Invest. CISA

The geopolitical timing is significant. The attacks occurred in late January 2022, weeks before Russia’s full-scale invasion of Ukraine on 24 February. The targeting of European energy logistics infrastructure, attributed to groups assessed as state-linked to Russia, has been interpreted by European security services as part of the hybrid warfare preparation that preceded the conventional military campaign.

Case Study 3: DP World Australia: When 40 Percent of a Nation’s Freight Stops (November 2023)

Article content
When a Terminal Goes Dark, National Freight Feels It

On the evening of 10 November 2023, DP World Australia’s technology team detected unauthorised access to the company’s corporate network. The decision to disconnect the network from the internet [the correct incident containment response] simultaneously halted land-side port operations at four of Australia’s largest container terminals.

Key ports in Sydney, Melbourne, Brisbane, and Fremantle, responsible for about 40 percent of Australia’s import-export traffic, were severely affected for three days. Approximately 30,000 containers, including refrigerated ones containing perishable goods such as blood plasma, were stranded at these ports. The disruption led to a near-capacity pile-up of containers on docks, severely limiting storage space. The delays in container movement impacted a variety of industries, from retail to critical industrial operations. SAFETY4SEA

Australia’s federal cybersecurity coordinator described the event as a “nationally significant incident impacting a number of maritime port facilities”. Home Affairs Minister Clare O’Neil confirmed that the government was coordinating a national response. Dryadglobal

By 20 November, seven days after port operations recommenced and ten days after first detecting the incident, DP World Australia had cleared 100 percent of the backlog, comprising some 30,137 containers. The investigation confirmed no ransomware was found or deployed within the DP World Australia network; no encrypted files and no ransom demand were identified, though data had been accessed and exfiltrated. Maritime Executive

Two elements of the DP World Australia incident are particularly instructive for the broader industry. First, the correct containment action “network disconnection”, itself caused the operational disruption. The security response and the operational impact were the same event. This is a characteristic of port cyber incidents that distinguishes them from most corporate data breaches: there is no option to investigate quietly while operations continue. Second, the attacker did not need to deploy ransomware. The data exfiltration alone [the contents of which have not been fully disclosed] represented a significant intelligence and potential commercial liability exposure for the company and its counterparties.


The Threat Actor Landscape: Criminal, Hacktivist, and State

The port infrastructure threat does not come from a single category of attacker. Three distinct actor types are now documented as targeting maritime port environments, each with different objectives and different implications for port operators.

State-sponsored actors: intelligence collection and pre-positioning

In May 2025, a joint cybersecurity advisory co-issued by 11 allied nations and 21 intelligence agencies including CISA, the UK NCSC, and counterparts from Germany, France, and Canada. Confirmed that APT28 (Fancy Bear), Russia’s GRU Unit 26165, had targeted “dozens of entities, including government organizations and private and commercial entities across virtually all transportation modes: air, sea, and rail” within NATO member states, Ukraine, and international organizations. Industrial Cyber

According to the NORMA Cyber [Nordic Maritime Cyber Resilience Centre], APT28 has specifically targeted maritime operators, logistics companies, and air traffic control networks in at least 11 countries. In January 2026, APT28 orchestrated a concentrated 72-hour spear-phishing campaign across nine Eastern European nations, primarily targeting defence ministries at 40 percent of recipients, transportation and logistics operators at 35 percent, and diplomatic entities at 25 percent. Smartmaritimenetwork SAFETY4SEA

The Polish ports of Gdansk and Gdynia, and the Taiwan ports of Kaohsiung and Keelung, have been assessed with a critical composite cyber risk score of 95 out of 100. The Polish ports primarily threatened by APT28 due to their role as key transit hubs for military and humanitarian aid to Ukraine, the Taiwan ports facing Chinese threats from Volt Typhoon, APT41, and ArcaneDoor amid escalating geopolitical tensions over the semiconductor supply chain. SAFETY4SEA

The Iranian cyber retaliation campaign examined in Briefing #9 exposed a state playbook that is now becoming unmistakable across the maritime domain. Following Operation Epic Fury, Ministry of Intelligence and Security-affiliated groups shifted from espionage to disruptive and destructive operations against energy, logistics, and critical infrastructure. The significance lies not only in the attacks themselves, but in the methodology behind them: infrastructure mapped in advance, access established quietly, and capability held in reserve until strategic conditions justified activation. That is the same pre-positioning logic now being documented by CISA and allied intelligence agencies against European port infrastructure. The Hormuz crisis made visible what had been building for years: state actors no longer treating maritime logistics as a target of opportunity, but as a strategic battlespace to be surveilled, penetrated, and, when required, disrupted at scale.

The objective of state-sponsored actors in port environments is not always immediate disruption. Pre-positioning, establishing persistent access that can be activated at a strategically chosen moment, is a documented methodology that requires years of patient infiltration before producing visible effects. The value of access to a major port’s vessel traffic management system, cargo manifests, or dangerous goods databases is significant for intelligence collection long before any destructive action is considered.

Criminal ransomware operators: financial extraction through operational leverage

According to NORMA Cyber, at least 45 maritime organisations were attacked with ransomware in 2024, with the actual number likely to be significantly higher. The state-linked BlackCat ransomware group was responsible for the German terminal attacks of January 2022, and the Conti group for the Sea-Invest attack. Maritime Administration

The criminal ransomware model applied to port infrastructure follows a straightforward logic: the operational dependency of the broader logistics chain on terminal continuity creates extraordinary pressure to pay. A port operator whose terminal operating system has been encrypted is not simply facing a data recovery problem. They are facing vessel queuing costs, cargo demurrage claims, perishable goods losses, contractual penalties, and the commercial reputational consequences of being the operational bottleneck in a global supply chain. The leverage available to a ransomware operator targeting a major terminal is qualitatively different from the leverage available when targeting a corporate data environment.

Hacktivists: geopolitical disruption as operational objective

Pro-Palestinian hacktivists have targeted Israeli-linked vessels using AIS data. Russian groups have targeted European ports supporting Ukraine. Chinese state actors have compromised classification societies that certify the world’s fleets. Insurance Edge

Hacktivist targeting of port infrastructure has escalated alongside geopolitical conflict. The same collectives documented in Briefing #9 as targeting Gulf energy infrastructure [Handala, Cyber Islamic Resistance, NoName057(16)] have also conducted DDoS campaigns against European port authority websites and logistics platforms, primarily as psychological and political messaging operations. While the operational impact of DDoS against public-facing websites is limited compared to ransomware against terminal operating systems, these campaigns serve as demonstrators of capability and intent. In some cases as cover for more targeted intrusion activity occurring simultaneously.


Operational Impact: What Port Disruption Actually Costs

The financial quantification of port cyberattacks has historically been constrained by the reluctance of operators to disclose the full operational and commercial consequences. The available data is nonetheless significant.

The NotPetya impact on Maersk and APM Terminals produced documented losses of USD 250–300 million from a single malware strain that was not specifically designed to target the company. The total costs of the NotPetya outage across all affected companies amounted to an estimated USD 10 billion globally. United Against Nuclear Iran

Cyberattacks aimed at logistics firms are projected to double in 2026, having risen 61 percent in 2025 from 132 to 213 incidents, up nearly 1,000 percent since 2021. Hackers are moving away from hitting individual companies and instead targeting shared transportation networks, where a single breach can ripple across thousands of businesses. SMI DIgital

Beyond direct financial loss, port cyberattacks produce a category of impact that does not appear in incident cost estimates: the erosion of trust in the port as a reliable logistics node. Shipping lines that divert bookings away from a cyber-attacked port [as happened with Maersk during NotPetya recovery] may not return immediately even after operations are restored. The reputational and commercial consequences of being perceived as an unreliable logistics gateway compound the direct operational losses.

For ports that serve NATO logistics functions [as the Polish ports of Gdansk and Gdynia do in the context of Ukraine support] a successful cyberattack carries national security implications that extend far beyond the commercial port operations. The targeting of these ports by APT28 reflects a deliberate strategic assessment of their value as logistics chokepoints.


The incident record is clear: ports do not fail as isolated systems. They fail as connected ecosystems.

Mitigation: Building Resilience Into Port Operations

Article content
Resilience Determines How Long the Terminal Stays Dark

IT/OT network segmentation as a non-negotiable baseline

The NotPetya incident demonstrated with devastating clarity what happens when there is no meaningful barrier between administrative IT networks and operational terminal systems. Implementing robust network segmentation with clearly defined, monitored, and enforced boundaries between corporate IT, terminal operating systems, vessel traffic management, and industrial control systems, is the foundational control that prevents a malware infection from becoming a terminal shutdown. This is not a new recommendation. It is the recommendation that the industry documented in 2017 and has still not universally implemented in 2026.

Briefing #8 of this series documented how AI has compressed the vulnerability exploitation window to under 48 hours and in some cases to under 15 minutes from public disclosure to active exploitation. That timeline makes the periodic patch cycles common in port OT environments typically aligned to maintenance windows and vendor service schedules, functionally inadequate as a primary vulnerability management mechanism. Continuous monitoring of OT network behaviour, combined with risk-based prioritisation of critical patches, is the only credible response to a threat that moves faster than scheduled maintenance can track.

Terminal Operating System resilience and offline backup capability

Attacking the lateral movement potential between terminals, logistics partners, and inland transport networks is now an established attacker methodology. Terminal operators need tested offline backup and recovery capabilities for TOS environments that allow partial operations to continue during a cyber incident. Not full capability, but sufficient to manage safety-critical functions such as dangerous goods segregation, vessel berthing, and emergency cargo movements. This requires investment in backup infrastructure and regular testing, not simply the existence of a backup policy. Shipping Telegraph

Third-party and supply chain access governance

Port environments are characterised by large numbers of third-party connections: shipping agents with cargo system access, customs authorities with manifest data access, trucking companies with gate and yard system connections, and service contractors with engineering system access. Each of these represents a potential entry point that bypasses the port operator’s own perimeter controls. Governance of third-party access through formal assessments, contractual security requirements, session-based access controls, and access revocation procedures, is as important in port environments as network segmentation.

Collective intelligence and information sharing

The Dutch Ferm Seaports initiative, which unites over a thousand companies across five major ports under a shared intelligence and response framework, is cited by the World Economic Forum as a proven blueprint. Ferm identifies roughly fifteen vulnerable systems and issues two urgent advisories weekly. While ports compete commercially, the model demonstrates that cyber threat intelligence sharing across a port community is both operationally feasible and strategically necessary. CYTUR

The Ferm model addresses a structural problem in port cyber security: individual port operators, particularly smaller terminal operators and port service companies, lack the resources and intelligence access to maintain current awareness of the threat landscape targeting their environment. A collective model that aggregates intelligence from national cyber security centers, maritime sector signals, and participating operators [and translates it into actionable operational guidance] is the appropriate institutional response to a threat that operates at ecosystem scale.

Incident response planning for port-specific scenarios

Port incident response plans must address scenarios that have no direct parallel in generic IT incident response frameworks.

  • What is the procedure when the TOS must be taken offline to contain an incident, and vessels are scheduled to berth in six hours?
  • What is the fallback when the dangerous goods management system is unavailable and a vessel carrying hazardous cargo is approaching the berth?
  • Who has authority to declare a force majeure on cargo commitments?

These questions need answers before an incident occurs, not during one.


Regulatory Considerations

Article content
Governance Must Catch Up With Cascading Port Risk

The regulatory framework governing port cyber security is evolving, but enforcement and implementation remain uneven across jurisdictions.

Maritime ports handle 80 percent of global trade and serve as critical nodes in NATO’s defence logistics network, yet they face unprecedented cybersecurity threats from state-linked actors. Nearly all surveyed countries have experienced cyberattacks within the past five years, with access control systems and vessel traffic management systems among the primary targets. The blurring of responsibilities between national and international, public and private entities particularly challenges coordinated response. Anglo-Eastern

In Europe, NIS2 classifies port authorities as operators of essential services, imposing mandatory security measures, supply chain risk governance, and incident reporting requirements with a 24-hour initial notification obligation. The January 2022 European oil terminal attacks which affected operators across multiple member states simultaneously, illustrated precisely the kind of cross-border incident that NIS2’s reporting framework was designed to address.

The US Coast Guard cyber security rules, which impose incident reporting obligations and security planning requirements on vessels and facilities operating in US waters, provide a parallel framework at the facility level. The US Department of Homeland Security’s designation of maritime transportation as critical infrastructure creates an additional layer of federal interest in port cyber resilience that is increasingly reflected in port security planning requirements.

IACS UR E26 and E27, while primarily applicable to vessel systems, have begun to influence shore-side cyber security expectations as classification societies and port state control authorities develop more integrated approaches to maritime cyber governance. The concept of a Software Bill of Materials which is now required under E27 for onboard systems, is directly applicable to the complex software environments operating within major terminal facilities.

What is still absent is a harmonised international framework specifically governing port infrastructure cyber security and the cross-border cascade risk the incident record has already demonstrated. The 2022 European oil terminal attacks affected operators across three countries. The DP World Australia incident prompted a nationally significant response from a government that had no prior framework for coordinating a cyber incident affecting 40 percent of national freight capacity. The industry cannot wait for the next incident to define the response architecture.


Article content

Port infrastructure is not a passive target waiting to be discovered by attackers. It is an active, documented, and escalating target being pursued by state-sponsored threat actors conducting strategic pre-positioning, criminal ransomware operators applying maximum operational leverage, and hacktivist collectives using disruption as political messaging. The incident record from 2017 through to 2026 demonstrates consistent patterns: the cascade effect of port disruption extends far beyond the terminal perimeter; the financial and operational consequences are severe and compound over time; and the security controls that would have prevented or contained the worst incidents were known, affordable, and not implemented.

Traditional isolated security postures are obsolete against threats that cascade rapidly across interconnected supply chains. The necessary response is a collective cyber defence model. One that treats port cyber security as an ecosystem responsibility rather than an individual operator obligation. Shipping Telegraph

The World Economic Forum’s framing of this as a collective defence problem is correct. Individual port operators, terminal companies, and logistics providers cannot independently achieve the intelligence access, monitoring capability, and incident response capacity that the current threat environment requires. The Dutch Ferm model shared:

  • Intelligence
  • Response planning
  • Accountability

It clearly represents the direction the industry must move.

The question for port operators, terminal companies, and maritime logistics providers is not whether their infrastructure will be targeted. The incident record has settled that question. The question is whether, when the terminal goes dark, they will have the segmentation, the backup capability, the response plan, and the collective intelligence framework to limit the darkness to hours rather than days. And to prevent it from spreading to every organization connected to them.


Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.

Sources: CYTUR 2026 Maritime Cyber Threat White Paper, SAFETY4SEA, Industrial Cyber, World Economic Forum / Port of Rotterdam, SC Media, CCDCOE Policy Brief, Recorded Future News, S&P Global Platts, The Stack Technology, BankInfoSecurity, ASIS Online, DP World Australia official statements, MSSP Alert, Waterstons, SOCRadar® Extended Threat Intelligence, Security Boulevard, Reveal Security, The Record / Recorded Future News, CISA Advisory AA25-141A, NORMA Cyber, MDPI Maritime Risk Journal, Computer Weekly, CNBC, Supply Chain Dive, Euromaidan Press.

No commercial relationship exists with any cited organization.