APT Hackers Target Maritime and Shipping Industry for Ransomware Attacks

The maritime sector, which facilitates approximately 90% of international trade, is facing an unprecedented surge in sophisticated cyberattacks from advanced persistent threat (APT) groups, ransomware operators, and hacktivists, driven by escalating geopolitical conflicts.

According to a recent Cyble intelligence report, over 100 such incidents have been documented in the past year, targeting shipping companies, ports, and logistics networks worldwide.

Pro-Palestinian hacktivists have exploited Automatic Identification System (AIS) data to disrupt Israeli-linked vessels, while Russian-affiliated actors have compromised European ports aiding Ukraine.

Chinese state-sponsored groups, meanwhile, have infiltrated classification societies responsible for certifying global fleets, employing advanced malware like ShadowPad and VELVETSHELL for persistent access and data exfiltration.

A notable March 2025 operation by the anti-Iranian group Lab Dookhtegan disrupted very small aperture terminal (VSAT) communications on 116 Iranian vessels, severing ship-to-ship and ship-to-port links amid U.S. military actions against Houthi rebels in Yemen.

This incident highlights the integration of cyber operations with kinetic warfare, where electronic interference such as GPS jamming and spoofing in chokepoints like the Persian Gulf and Strait of Hormuz compromises navigational integrity, increasing risks of collisions and operational failures in high-traffic zones.

Cyber Risks in Global Trade

APT groups have intensified their campaigns, with entities like China’s Mustang Panda deploying USB-based malware infections directly onto cargo ship systems in Norway, Greece, and the Netherlands, enabling industrial espionage and potential ransomware payloads.

Similarly, APT41 has utilized the DUSTTRAP framework for forensic evasion in attacks on logistics targets across the UK, Italy, Spain, Turkey, Taiwan, and Thailand, incorporating backdoors for long-term persistence.

Russian-linked APT28 has focused on NATO supply chains supporting Ukraine, while Crimson Sandstorm from Iran has targeted Mediterranean shipping routes.

Other actors, including Russia’s Turla/Tomiris and RedCurl, have employed infected USB drives for espionage in Asia-Pacific transportation networks, with RedCurl executing over 40 attacks on entities in Australia, Singapore, and Hong Kong.

The China-linked Chamel Gang has further escalated threats by deploying ransomware against logistics firms, often exfiltrating sensitive data like ship blueprints before encryption.

Dark web marketplaces have seen a proliferation of breached maritime data, including 1TB of internal files from a European defense contractor encompassing submarine source code, classified technical documents, and navy simulators offered on forums like DarkForums.

Similar leaks involve operational data from a European marine technology firm, including NMEA telegrams for engine control systems, and sensitive records from South American and Middle Eastern maritime authorities, exposing vulnerabilities such as offline surveillance and outdated firewalls.

U.S. port compromises have revealed SSL certificates, private keys, and login credentials, underscoring the sector’s exposure to supply chain attacks.

Critical Vulnerabilities

Vulnerabilities in maritime systems exacerbate these threats, with Cyble highlighting high-priority CVEs like CVE-2025-5777 and CVE-2025-6543 in Citrix NetScaler for ship-to-shore remote access, CVE-2025-52579 in Emerson ValveLink for marine control systems, and CVE-2024-2658 in Schneider Electric EcoStruxure for industrial automation.

Others include CVE-2024-20418 in Cisco URWB for port connectivity and legacy flaws in COBHAM SAILOR 900 VSAT web servers, potentially enabling remote code execution and denial-of-service attacks.

To counter these, Cyble advocates robust measures such as banning personal USB devices in operational zones, implementing network isolation via unidirectional gateways and VLANs for crane systems, and deploying RF shielding to block unauthorized transmissions.

Enhanced protocols include time-based access controls, geographic IP blocking during tensions, and blockchain-verified updates for electronic chart display and information systems (ECDIS).

Supply chain security demands disabling remote access on foreign-manufactured equipment, enforcing just-in-time vendor support, and requiring cryptographically signed software bills of materials (SBOMs).

Vulnerability management should prioritize CISA Known Exploited Vulnerabilities (KEV), network segmentation between IT and operational technology (OT), and maritime-specific incident response drills simulating APT and ransomware scenarios.

Access controls must eliminate default credentials, mandate multi-factor authentication, and align with regulations like IACS UR E26/E27 and the NIS2 Directive to safeguard global trade flows.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!