Real incidents. Real vessels. Real operational consequences.
Vessels have been grounded by GPS spoofing, crippled by malware introduced through USB sticks, and stranded in ports shut down by ransomware. These are not theoretical risks from security conference presentations. They are documented incidents that affected real vessels, real cargo, and real operations. Maritime cyber incidents rose 103% in 2025 compared to 2024, and attacks on operational technology systems are up 150%.
Category 1
These incidents involved malware, unauthorised access, or deliberate compromise of systems physically located on board vessels. The attack surface includes navigation systems, engine controls, cargo management, and crew communications.
The US Coast Guard issued Marine Safety Alert 06-19 after a deep draft vessel arriving at the Port of New York reported that its shipboard computer network had been "significantly degraded" by malware. The investigation found that the malware had severely disrupted onboard systems, though it had not affected vessel control systems. The USCG noted that the vessel operated without effective cybersecurity measures - most crew members used the same login credentials, there were no antivirus protections, and critical control systems shared the network with general-purpose crew computers. This incident directly prompted the USCG to accelerate maritime cybersecurity rulemaking.
A Remote Access Trojan (RAT) was discovered on the operational technology systems of the ferry "Fantastic." Unlike typical IT-focused attacks, this malware had penetrated systems responsible for vessel operations rather than administrative functions. RAT infections on OT systems are particularly dangerous because they give attackers persistent, hidden access to systems that control physical processes - propulsion, steering, ballast, and safety systems. The incident highlighted the ongoing vulnerability of vessel OT networks that are often poorly segmented from IT systems.
Israeli cybersecurity firm Naval Dome conducted a live penetration test on a vessel's systems that demonstrated the severity of maritime cyber vulnerabilities. Starting with a single phishing email sent to the captain, the testers were able to shift the vessel's reported GPS position, mislead the radar display with false targets, disable machinery monitoring systems, and override fuel and ballast pump controls. Every system was compromised through a single initial access point. The test demonstrated that vessel cyber attacks are not just a data confidentiality issue - they can directly affect the physical safety of the ship, its crew, and its cargo.
Industry data consistently shows that approximately 60% of vessel cyber incidents involve malware, and 77% of that malware arrives via infected USB storage devices. Crew members, service engineers, port officials, and surveyors routinely connect USB devices to vessel systems for chart updates, software patches, data transfers, and personal use. Many vessel systems lack USB port controls, endpoint protection, or any form of removable media policy enforcement. The problem is compounded by the fact that critical systems such as ECDIS often require USB-based updates, making a complete USB ban impractical without alternative update mechanisms.
The majority of Electronic Chart Display and Information Systems (ECDIS) in service still run on Windows XP or Windows NT - operating systems that have not received security patches for years. These systems are trivially compromised by known exploits that are freely available online. ECDIS is the primary navigation tool on modern vessels, and its compromise can result in incorrect chart data, false position plotting, or complete navigation failure. The maritime industry's slow hardware refresh cycle means vessels regularly operate with navigation-critical systems that would be considered unacceptably insecure in any other industry.
In 2025, a coordinated cyber attack paralysed the communications systems of approximately 180 Iranian-linked vessels in two distinct waves. The vessels lost the ability to communicate with shore-based operations, port authorities, and each other. The attack demonstrated that vessel communications infrastructure - satellite terminals, VSAT systems, and fleet management platforms - represents a critical single point of failure that can be exploited to effectively blind an entire fleet simultaneously.
Category 2
GPS spoofing transmits false satellite signals to make vessel navigation systems report incorrect positions, speeds, or headings. Unlike jamming (which causes a visible loss of signal), spoofing silently feeds false data that the crew may not detect until the vessel is in danger. GPS spoofing incidents affecting maritime traffic have escalated from isolated events to a persistent, widespread threat.
More than 20 vessels in the Black Sea simultaneously reported GPS positions that placed them at Gelendzhik Airport, over 30 kilometres inland. The master of one affected vessel reported that his GPS showed the ship's position deep inside Russian territory while the vessel was clearly at sea. This was the first publicly documented large-scale GPS spoofing event affecting commercial shipping and demonstrated that spoofing could affect multiple vessels simultaneously across a wide area.
Hundreds of vessels transiting the Huangpu River and the Port of Shanghai experienced GPS spoofing that caused their AIS positions to jump erratically, sometimes forming circular patterns. Research by the Center for Advanced Defense Studies documented the phenomenon extensively. The spoofing appeared to affect specific areas near port facilities and continued intermittently over an extended period. The cause was not publicly attributed, but the pattern suggested a localised source rather than wide-area military activity.
GPS spoofing in the Eastern Mediterranean reached a scale where 117 ships were simultaneously showing false positions at Beirut-Rafic Hariri International Airport. Vessels in transit through one of the world's busiest shipping corridors found their navigation systems reporting positions kilometres from their actual locations. The spoofing was linked to broader GPS interference in the region associated with military operations, but commercial vessels bore the operational consequences regardless of the intended target.
In 2025, GPS spoofing and jamming in the Persian Gulf region disrupted navigation for approximately 3,000 vessels over a two-week period. The Strait of Hormuz, through which roughly 20% of the world's oil passes, became an area of persistent navigation uncertainty. Vessels were forced to increase reliance on radar, visual navigation, and manual position fixing - skills that modern bridge crews, trained primarily on electronic navigation, may not maintain to the required standard.
The 7,000 TEU container ship MSC Antonia ran aground, with GPS spoofing identified as a contributing factor to the incident. While groundings have multiple causes including human factors and environmental conditions, the MSC Antonia case represented a concrete example of GPS spoofing contributing to a major maritime casualty involving a large commercial vessel. The incident underlined that GPS spoofing is not merely an inconvenience - it can lead to physical damage, environmental risk, and significant financial loss.
Current monitoring data shows approximately 1,000 GPS disruption incidents per day affecting more than 40,000 vessels globally. This figure includes both jamming (signal denial) and spoofing (false signal injection). What was once a rare and noteworthy event has become a daily operational reality for commercial shipping. Vessels operating in the Eastern Mediterranean, Black Sea, Persian Gulf, and parts of the South China Sea face near-continuous GPS interference that degrades the reliability of electronic navigation systems.
Category 3
Modern vessels depend on shore-based software platforms for fleet management, maintenance planning, regulatory compliance, and operational data. When these platforms are compromised, the operational impact reaches every vessel in the fleet.
DNV, one of the world's largest maritime classification societies, suffered a ransomware attack on its ShipManager software platform. Approximately 1,000 vessels across 70 operators were affected when DNV was forced to shut down the platform's servers. ShipManager handles fleet operations including maintenance management, procurement, crew management, and quality and health/safety systems. While the attack did not directly compromise onboard systems, vessels lost access to their fleet management platform, disrupting maintenance planning, regulatory documentation, and operational workflows. The incident demonstrated that vessel operations have become deeply dependent on shore-based software supply chains, and that a single attack on a widely-used platform can affect an entire segment of the global fleet.
Category 4
When port operational technology goes down, vessels cannot load, discharge, or transit. Port cyber attacks have a direct and immediate impact on vessel operations even though the attack target is ashore.
The Port of Nagoya, which handles approximately 10% of Japan's total trade volume, was hit by LockBit ransomware that forced the suspension of all container terminal operations for two and a half days. The Nagoya United Container Terminal System, which manages the movement of containers in and out of the port, was completely disabled. Vessels waiting to load or discharge cargo were held in port or diverted. The attack affected Toyota's supply chain, as the automaker ships a significant portion of its exports through Nagoya. The port resumed operations only after rebuilding affected systems.
A cyber attack on DP World Australia, which operates container terminals in Sydney, Melbourne, Brisbane, and Fremantle, forced the company to disconnect its systems from the internet to contain the breach. The disconnection halted container movements at ports handling approximately 40% of Australia's container imports. Around 30,000 containers were stranded, with vessels unable to discharge cargo. Normal operations took days to restore, and the incident caused weeks of supply chain disruption as the backlog was cleared.
A state-sponsored cyber attack targeted the Shahid Rajaee Port near Bandar Abbas, Iran's busiest container port. The attack disrupted the port's computer systems controlling vessel traffic, creating a backlog of ships waiting to enter the port and causing chaos in the movement of cargo. Satellite imagery showed vessels queuing in the approaches while the port struggled to restore operations. The attack was widely attributed to state-level actors, demonstrating that port infrastructure is a target in geopolitical conflicts, with commercial vessel operators caught in the middle.
The US Coast Guard issued Marine Safety Information Bulletin 20-02 after a Maritime Transportation Security Act (MTSA) regulated facility was hit by Ryuk ransomware. The attack disabled CCTV surveillance, physical access control systems, and critical process control monitoring equipment. The facility's entire operational technology environment was compromised through a phishing email that led to ransomware deployment. The incident forced the facility to operate with degraded security and monitoring capabilities for over 30 hours while systems were restored.
Category 5
The following incidents were corporate IT attacks that originated in shore-side office networks. They are not vessel cyber attacks. However, they are included here because they disrupted vessel operations - booking systems, terminal management, and fleet coordination - demonstrating how shore-side IT failures cascade to vessel-level consequences.
The NotPetya malware struck Maersk's corporate IT infrastructure through a compromised Ukrainian accounting software update. This was an office-based IT attack, not a vessel cyber attack. However, the impact cascaded to vessel operations because Maersk's booking systems, terminal operating systems, and communications infrastructure were all affected. The company lost access to its global network for approximately two weeks, forcing vessel scheduling to be managed manually and disrupting port terminal operations worldwide. Maersk estimated the total cost at approximately $300 million. The incident remains the most cited maritime cyber event, but it is important to understand that it was a corporate IT attack that affected vessel operations through business system dependencies, not through any compromise of onboard vessel systems.
COSCO Shipping's US operations were disrupted by a ransomware attack that affected email, telephone, and network connectivity at its Americas headquarters. The attack did not reach vessel systems but disrupted booking and documentation processes for vessels calling at US ports. COSCO isolated its Americas network from its global operations to prevent spread.
MSC's Geneva headquarters suffered a malware attack that brought down its website and disrupted booking and cargo tracking systems for several days. Container booking and release processes were affected, impacting vessel loading schedules. The attack was contained to shore-side systems and did not affect vessel operations directly, but the disruption to commercial and logistics platforms had downstream effects on vessel utilisation and port scheduling.
CMA CGM, the world's fourth-largest container shipping line, was hit by Ragnar Locker ransomware that encrypted data across its corporate network. The company was forced to shut down its online booking platform and customer-facing systems. Vessel operations continued but with degraded commercial support - bookings were processed manually, and cargo tracking was unavailable. The attack demonstrated that even the largest shipping operators remain vulnerable to corporate ransomware, and that the commercial systems vessels depend on for cargo operations are part of the vessel's extended attack surface.
The Numbers
The gap between the maritime industry's cyber threat exposure and its investment in cyber defence is stark. While attack costs have tripled in three years and ransom demands have risen 350% year over year, the industry's response has been slow.
54% of ship operators spend less than $100,000 per year on cybersecurity. For context, the average cost of a single maritime cyber incident is now $550,000 - meaning one successful attack costs more than five years of the typical operator's entire cyber budget. The average ransom demand in maritime has reached $3.2 million, a figure that dwarfs most operators' annual security investment.
Maritime operational technology attacks increased 150% in 2025. OT systems - the systems that control navigation, propulsion, cargo handling, and safety equipment - were historically considered safe because they were isolated from the internet. That isolation has eroded as vessels have become increasingly connected through satellite broadband, fleet management platforms, and remote monitoring systems. The same connectivity that enables efficient fleet operations creates pathways for attackers to reach systems that directly affect vessel safety.
The single most common malware delivery mechanism on vessels is the USB stick. Service engineers bring them aboard for software updates. Crew use them for personal entertainment. Surveyors transfer inspection data. Port agents deliver documentation. Each connection is an uncontrolled introduction of external data to vessel systems. Without endpoint protection, USB port controls, or effective removable media policies, every USB insertion is a potential infection vector.
Insurance Implications
The insurance landscape for maritime cyber risk has shifted significantly, and many vessel operators are exposed without knowing it.
In August 2022, Lloyd's of London directed all syndicate members to include exclusion clauses for state-backed cyber attacks in all standalone cyber policies, effective from March 2023. For the maritime sector specifically, this manifests through clauses LMA5402 and LMA5403, which are marine-specific war and cyber exclusion clauses. These exclusions mean that cyber attacks attributed to - or suspected of being backed by - nation states may not be covered by standard marine insurance policies.
This is particularly relevant to the maritime sector because several of the most significant incidents documented above - the Shahid Rajaee port attack, GPS spoofing in the Black Sea and Eastern Mediterranean, and the Iranian vessel communications attack - have been linked to state-level actors. Vessel operators in these regions face the dual risk of elevated threat levels and reduced insurance coverage for the most likely attack scenarios.
The legal implications of cyber/war exclusions were tested in the case of Mondelez International vs. Zurich American Insurance. Zurich denied Mondelez's $100 million NotPetya claim under a war exclusion clause, arguing that NotPetya was a Russian state-sponsored attack and therefore an act of war. The case eventually settled, but it established that insurers will invoke war exclusions for state-attributed cyber attacks. Maritime operators should assume their insurers will do the same.
66% of maritime operators do not know whether their insurance policies cover cyber incidents. This figure should alarm both operators and their insurers. A vessel operator who cannot answer the question "does my insurance cover a ransomware attack on my fleet management system?" or "am I covered if GPS spoofing contributes to a grounding?" is carrying risk they have not quantified. Given that average attack costs now exceed $550,000 and ransom demands average $3.2 million, an uninsured cyber incident can be financially devastating for smaller operators.
Every incident on this page was preventable or its impact could have been reduced with proper cyber security controls, network segmentation, endpoint protection, and crew awareness. NCoDE Command provides integrated cyber security and compliance management built into the vessel - not bolted on as an afterthought. From USB device control and network monitoring to incident response workflows and audit-ready evidence, it addresses the attack vectors that these real incidents exploited.