Ports are getting smarter and more hackable

A new policy brief from NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) warns that critical port infrastructure, responsible for 80 percent of global trade, is increasingly under attack by threat actors tied to Russia, Iran, and China.

These ports are essential to national economies and serve as key hubs in NATO’s logistics network. Many remain under civilian control with limited integration into military cybersecurity strategies, leaving serious gaps in defence coordination.

The CCDCOE’s findings draw from a multi-country survey and recent threat intelligence. The data shows a consistent pattern of cyber attacks across regions, with access control systems and vessel traffic management systems most often targeted. DoS attacks, data breaches, ransomware, and phishing campaigns are common. Some incidents have already caused significant disruption to maritime logistics and operations.

Maritime port cyber attacks worldwide escalate

The 2017 NotPetya attack, linked to Russian military intelligence, caused hundreds of millions in damage across shipping companies and ports. It remains a cautionary example of how interconnected IT and OT systems can spread damage far beyond the original target.

State-sponsored groups continue to exploit those same weaknesses. Russia’s APT28 (Fancy Bear), Iran’s APT35 (Charming Kitten), and China’s Mustang Panda have each been linked to operations targeting maritime infrastructure, using tactics that range from ransomware to surveillance and disruption campaigns.

While nation-state actors dominate the threat landscape, they are not alone. Financially motivated cybercriminals have also hit ports hard. In 2022, ransomware attacks disrupted oil terminals in Belgium, Germany, and the Netherlands, forcing rerouting of fuel supplies. Some of these attacks have been linked to groups like BlackCat and Conti, which have ties to state sponsors.

Hacktivists, especially pro-Russian groups like NoName057, add another layer. These groups have carried out coordinated DDoS attacks on ports in the United Kingdom, the Netherlands, and Poland. Though these attacks may not cause long-term damage, they can disrupt operations and strain resources. The group uses a crowdsourced botnet called DDoSia to carry out its campaigns, sometimes offering financial incentives to participants.

The civil-military gap

A major concern raised in the brief is the disconnect between military and civilian cyber defence responsibilities. Most ports are commercially operated, yet they serve military logistics functions, making them attractive hybrid warfare targets.

Despite this, NATO’s current Alliance Maritime Strategy, last updated in 2011, does not adequately account for cyber threats or include formal coordination mechanisms with commercial port operators. The brief calls for a comprehensive update that addresses this gap and includes cyber response protocols.

What needs to happen

The authors recommend several steps to shore up maritime cyber defences. These include:

• Updating NATO’s maritime strategy to integrate cyber defence
• Establishing liaison roles to link NATO commands with national port cybersecurity authorities
• Creating structured intelligence-sharing networks tailored to maritime threats
• Developing international working groups under the International Maritime Organization to standardise cybersecurity practices across ports

Exercises like NATO’s Locked Shields, a live-fire cyber defence event, are highlighted as valuable opportunities to test and improve cooperation between military and civilian entities under real-time attack scenarios.