You are currently viewing The Hormuz Playbook: Cyber, Electronic Warfare, and the Live Anatomy of Maritime Hybrid Conflict

The Hormuz Playbook: Cyber, Electronic Warfare, and the Live Anatomy of Maritime Hybrid Conflict

Maritime Cyber Threat Briefing #9

Article content
Hybrid Warfare Has Reached the Waterway

Since 28 February 2026, commercial transit through the Strait of Hormuz has been severely disrupted, with operators suspending or sharply reducing movements under a rapidly escalating threat environment.

The International Maritime Organization Secretary-General has confirmed 21 attacks on commercial ships since 28 February 2026, resulting in 10 seafarer fatalities. Approximately 20,000 civilian seafarers remain stranded aboard vessels in the Persian Gulf facing dwindling supplies, fatigue, and severe psychological stress. The World Bank has characterised the disruption as the largest oil supply shock on record, with an initial reduction in global oil supply of approximately 10 million barrels per day. Brent crude prices remained more than 50 percent higher in mid-April than at the start of the year. Brent crude reached an intraday high of USD 126.41 per barrel on 30 April 2026. A four-year price peak, according to Argus Media. Small Wars Journal + 2

The maritime industry has discussed hybrid warfare largely in theoretical terms. The Hormuz crisis has turned that theory into operational reality. The Hormuz crisis has turned theory into operational reality, and the cyber and electronic warfare dimensions of what is unfolding provide the most consequential live case study in maritime hybrid conflict that the industry has ever had to analyze in real time.

This briefing examines what is actually happening in the cyber and electronic warfare domains, what it means for commercial shipping, and what the lasting implications are for how maritime operators must think about their exposure to conflict-adjacent threats. The series has documented Iranian cyber-to-kinetic targeting since Briefing #1. This is where that arc lands.


The Electronic Battlefield: What Is Happening to Navigation in the Gulf

Before a single kinetic weapon is deployed against a commercial vessel, the maritime operating environment in and around the Strait of Hormuz had already been rendered electronically hostile. The mechanism is GNSS manipulation [jamming and spoofing] at a scale and sophistication that has no precedent in commercial shipping history.

Widespread GNSS jamming and GPS spoofing disrupted navigation for more than 1,650 ships in the Middle East Gulf as of early March 2026, turning the Strait of Hormuz into a live stress-test for global maritime positioning infrastructure. The Royal Institute of Navigation and maritime analytics firm Windward have both classified the current situation as unprecedented in scale for a commercial shipping context. GIS Resources

Satellite navigation interference detected near the UAE coast created the appearance of vessels sailing in straight lines toward the Strait of Hormuz, even though the ships were not actually following those tracks. The anomaly was first observed off Ras Al Khaimah, where vessel positions began appearing in long linear patterns inconsistent with normal navigation. Playback analysis of AIS data confirmed the movements were not real. The EU’s Maritime Security Centre warned that heavy GPS and AIS spoofing was continuing across the Arabian Gulf, Strait of Hormuz, and Gulf of Oman, with disruptions also affecting communications and radar systems, stating that navigation systems in the region were “highly likely to be unreliable”. gCaptain

When GNSS spoofing manipulates vessel positions, those incorrect coordinates propagate across global tracking networks used by governments, shipping companies, insurers, and intelligence analysts effectively creating a data integrity attack against maritime telemetry. This demonstrates how electronic warfare can indirectly compromise digital infrastructure by poisoning trusted data sources rather than directly breaching networks. Polyswarm

The operational implications for commercial vessels are severe. A ship navigating on corrupted position data in a 34-kilometre wide strait, in the presence of active sea mines, fast attack craft, and other vessels suffering the same interference, is in genuine danger. Not because its crew lacks skill, but because the fundamental data inputs underpinning its navigation have been deliberately poisoned.

Article content
GNSS Denial Turns Navigation Into Operational Risk

The series documented GPS spoofing in Briefing #5 and its role in the MSC Antonia grounding in Briefing #7. What the Hormuz crisis has demonstrated is what that capability looks like when deployed at strategic scale, by a state actor, as an integral component of a military campaign designed to control access to a major waterway.


AIS as a Disinformation Platform

Beyond navigation disruption, the Hormuz crisis has exposed the AIS system as a disinformation platform operating at extraordinary scale.

AIS data in and around the Strait of Hormuz is underreporting actual vessel traffic by as much as 50 percent, according to field investigation by Citrini Research corroborated by multiple maritime intelligence firms. Ships are going dark on transponders, spoofing GPS coordinates, broadcasting false destinations, duplicating the identity codes of scrapped ships, and swapping identities with nearby vessels. Achievers

About 540 oil tankers carrying an estimated 314 million barrels are at sea with no fixed destination, listed simply as “awaiting orders”. Effectively a USD 30 billion floating oil exchange waiting for a safe route. Some ships are broadcasting destinations such as “China Owner and All Crew”, turning a navigational data field into a live political message directed at Iranian forces: do not shoot, we are not your target. Pole Star Global

This data integrity dimension extends well beyond the Gulf. Ship operators and port authorities globally rely on AIS data for vessel scheduling, berth planning, and cargo coordination. When a significant proportion of AIS transmissions from a major global shipping region are suppressed, spoofed, or deliberately falsified, the integrity of logistics planning data degrades across the entire network. The corrupted data does not stay in the Strait of Hormuz, it propagates into every platform that ingests it.


The Cyber Campaign: Iranian Retaliation Beyond the Waterway

The kinetic and electronic warfare dimensions of the Hormuz crisis are the most immediately visible. But Iran’s cyber retaliation has created a threat environment that extends far beyond the Gulf and directly into the commercial maritime sector’s shore-based infrastructure.

Following Operation Epic Fury, Iranian-linked actors moved beyond quiet intelligence gathering to a coordinated, hybrid offensive. Ministry of Intelligence and Security affiliated groups significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns targeting energy, critical infrastructure, finance, telecommunications, and healthcare sectors. Tenable®

For maritime operators, the practical implication is that a vessel can remain outside the Gulf and still be exposed through shore offices, logistics platforms, cloud-dependent workflows, and energy-linked commercial relationships.

MuddyWater had already planted backdoors inside a US bank, airport, and defence-adjacent firms before the conflict began. Pro-Iranian group Handala claimed attacks on Israeli energy firms, Jordanian fuel systems, and Aramco facilities. CrowdStrike‘s Adam Meyers confirmed the firm was already observing activity from Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks, noting: “These behaviors often precede more aggressive operations. In past conflicts, Tehran’s cyber actors have aligned their activity with broader strategic objectives that increase pressure and visibility at targets, including energy, critical infrastructure, finance, telecommunications, and healthcare.” SOCRadarUnited Against Nuclear Iran

Iran’s most effective strategy lies in sustained cyber and proxy operations conducted below the threshold of formal state attribution. Actions that impose economic and psychological costs while denying clear conventional response pathways. Energy, logistics, and cloud environments remain within scope of both kinetic and cyber targeting. Security Council Report

For shipping companies with Gulf operations, US-flagged or US-aligned commercial entities, and organizations within sectors Iran has explicitly identified as targets: fuel procurement, port logistics, energy supply chains. The cyber threat environment is materially elevated regardless of whether their vessels are anywhere near the Strait.


The Commercial Shipping Paralysis: What Hybrid Warfare Looks Like in Practice

The combination of kinetic attacks, electronic warfare, and cyber operations has produced an outcome no individual attack vector could have achieved alone: the near-complete commercial paralysis of the world’s most strategically critical shipping chokepoint.

Some 20,000 seafarers on approximately 2,000 ships [including oil and gas tankers, bulk carriers, cargo ships, and six tourist cruise liners] are trapped in the Persian Gulf, unable to pass through the Strait of Hormuz. The situation has been described as unprecedented in the post-Second World War era. Prior to the conflict, around 150 vessels passed through the waterway every day; now only four or five do so. CISA

Roughly 80 vessels passed through the strait in the week of 13–19 April, according to Lloyd’s List Intelligence, compared to approximately 130 or more transits per day before the war. Dozens of ships have come under attack since the conflict began. CISA

The mechanism of this paralysis is the interaction between domains, not any single element within them. Kinetic attacks on vessels created physical risk. Electronic warfare made navigation unreliable. Mine-laying created uncertainty about safe transit routes. Cyber operations against insurance and logistics infrastructure elevated risk assessments. The combination produced a deterrence effect on commercial traffic that no state actor has previously achieved through electronic means alone.

This is the Hormuz Playbook. Maritime cyber security professionals need to understand it not merely as a geopolitical event but as an operational template that other state actors are already studying.


Lessons for Commercial Maritime Operators

Article content
Hybrid Conflict Multiplies Commercial Risk
  • GNSS dependency is an operational vulnerability, not just a technical one. Vessels operating in or adjacent to conflict zones with total dependence on GNSS for navigation are operating with a single point of failure that state actors can disable on demand. Multi-system backup navigation [cross-referencing GNSS with radar, inertial navigation, and visual reference] must move from best practice to operational standard. IACS UR E26 requires documented contingency procedures for navigation system failure; operators need to treat GNSS denial as a credible scenario in passage planning, not a theoretical edge case.
  • AIS data cannot be trusted in conflict-adjacent waters. The integrity of vessel tracking data across the Gulf has been fundamentally compromised. Commercial operators relying on AIS for situational awareness, scheduling, or cargo coordination in affected regions must implement independent verification. Any platform aggregating AIS data from the region is currently distributing partially or wholly corrupted information. With downstream consequences for logistics planning far beyond the immediate conflict zone.
  • Conflict-adjacent cyber threat elevation is real and specific. The Iranian cyber retaliation campaign is not random. It is targeting entities economically linked to the US-Israeli campaign [energy companies, logistics operators, port facilities, and financial institutions] processing related transactions. Maritime companies need to assess their specific exposure to this targeting logic and elevate their defensive posture: reviewing remote access controls, verifying backup integrity, and ensuring incident response plans are current and tested.
  • Insurance and war risk frameworks were not designed for this. War risk premiums for Strait transit increased from approximately 0.2 percent to nearly 1 percent of ship value. Meaning a tanker worth USD 100 million faces a war risk premium of USD 1 million per transit instead of USD 200,000. Existing cyber and war-risk insurance frameworks do not always clearly allocate loss arising from state-conducted electronic warfare. Whether GNSS spoofing-induced grounding in a conflict zone falls under a cyber policy, a war risk policy, or neither is not settled. Operators need to review their policies now, not after an incident. Cydome
  • Crew decision-making under hybrid threat conditions is untested. Masters and officers in the Gulf have been required to navigate vessels with unreliable GNSS, degraded communications, conflicting AIS data, and live threat advisories simultaneously. This is a scenario that no maritime training programme routinely exercises. The industry needs to develop training that reflects multi-domain hybrid threat conditions. Not single-threat cyber or navigation failure exercises in isolation.

Regulatory and Institutional Implications

Existing cyber risk management guidance under IMO MSC-FAL.1/Circ.3 and IACS UR E26 was designed around the threat of criminal and state-sponsored cyber attack against vessel systems. The Hormuz crisis demonstrates a distinct threat category: state-conducted electronic warfare that degrades navigation infrastructure across an entire region simultaneously, without targeting any individual vessel’s systems. Current maritime cyber guidance does not yet provide specific operational doctrine for regional GNSS denial at state scale.

IMO’s Secretary-General has stated there is “no safe transit anywhere in the Strait of Hormuz” and the IMO Council has called for a halt to attacks on ships and urged member states to ensure the continuous provision of water, food, fuel, and other essentials to stranded ships. That institutional response “however necessary” addresses the humanitarian emergency. It does not yet address the longer-term question of how the regulatory framework must evolve to govern the intersection of electronic warfare and maritime safety. Infosecurity Magazine

NIS2’s mandatory incident reporting obligations and resilience requirements were designed for scenarios where state actors target or disrupt critical infrastructure. Maritime operators with EU exposure and Gulf operations should be documenting the cyber and electronic warfare dimensions of this crisis in their risk registers as they unfold.


Article content

The Hormuz crisis is one of the most consequential maritime security crises of the modern era. Its cyber and electronic warfare dimensions, coordinated GNSS manipulation affecting over 1,650 commercial vessels, AIS data integrity collapse across a major global shipping region, and a sustained Iranian cyber retaliation campaign targeting maritime-adjacent energy and logistics infrastructure, have demonstrated what maritime hybrid warfare looks like when executed at strategic scale against the world’s most critical energy chokepoint.

Iran’s retaliation strategy reflects a pre-planned, multi-domain framework designed to impose costs while preserving regime survivability. Combining kinetic attacks, cyber disruption, proxy activation, and electronic warfare. This approach enables demonstration of resilience and sovereign defiance while maintaining escalation control and preserving bargaining leverage. Other state actors are watching and learning. The techniques deployed in the Gulf:

  • Regional GNSS denial
  • AIS integrity attacks
  • Pre-positioned cyber access in critical infrastructure
  • Coordinated hacktivist proxy operations

They are not specific to Iran. They are a transferable template. Security Council Report

The maritime industry needs to understand this template, build operational doctrine around it, and ensure that the vessels, systems, and people operating in and around any contested waterway are prepared for an environment in which the digital and physical worlds are not separate domains. They are the same battlefield.


Maritime Cyber Threat Briefing is an independent series covering cyber threats, vulnerabilities, and risk management across the global maritime industry. It is published by Alexandros Engelen, a Cybersecurity Strategist, specializing in maritime cyber risk.

Sources: International Maritime Organization , UN News, CNN, Euronews, ABC News, gCaptain, GIS Resources, Polestar Global, Tradlinx/Citrini Research, Flashpoint, Tenable, SOCRadar® Extended Threat Intelligence, Industrial Cyber, HSToday, CSIS, National Maritime Foundation- NMF, U.S. Naval Institute News, Security Council Report, World Bank, Argus Media, CNBC, Lloyd’s List Intelligence .

No commercial relationship exists with any cited organization.