✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Maritime
Breach intelligence, attack campaigns, and threat reports targeting the Maritime sector.
Explore Other Sectors
Maritime Threat Reports
Unveiling Cyber-Enabled Maritime Sanctions Evasion Tactics in 2026
In 2026, Iranian and Russian shadow fleet vessels, along with multiple sanctions evasion networks (SENs), utilized over 36 inauthentic websites to impersonate maritime authorities and organizations. These fraudulent sites facilitated the generation of false documents and certificates, effectively replicating key layers of the maritime compliance stack. This cyber-enabled infrastructure allowed sanctioned entities to circumvent international sanctions by creating credible but fraudulent maritime organizations, increasing the risk of due diligence failures and regulatory exposure. The emergence of such sophisticated cyber-enabled sanctions evasion tactics underscores the evolving nature of maritime compliance challenges. Organizations in the maritime and shipping sectors must integrate independent verification and cyber threat intelligence into compliance workflows to proactively identify and mitigate fraudulent online infrastructure.
2 weeks ago
Kill Chain
China-Linked Cyber Espionage Escalates in Latin America: A 2026 Overview
In early 2026, China-linked cyber espionage groups, notably FamousSparrow and NegativeGlimmer, intensified operations targeting Latin American nations, including Venezuela and Panama. These groups infiltrated government agencies to gather intelligence on maritime shipping, oil production, and other strategic sectors. Their tactics involved exploiting unpatched servers and deploying custom malware to maintain persistent access. This surge in cyber activities underscores the escalating geopolitical tensions in the region, with state-sponsored actors leveraging cyber operations to advance national interests. Organizations must prioritize robust cybersecurity measures to mitigate the risks posed by such sophisticated threats.
3 weeks ago
Kill Chain
Critical Vulnerability in NAVTOR NavBox Exposes Maritime Operational Data
In March 2026, a critical vulnerability (CVE-2026-2754) was identified in NAVTOR's NavBox version 4.12.0.3, a maritime connectivity device widely used for managing navigation data and ship-shore communications. The flaw allowed unauthenticated remote attackers to access sensitive configuration and operational data through exposed HTTP API endpoints on TCP port 8080. Exploitation of this vulnerability could lead to unauthorized retrieval of internal network parameters, including ECDIS and OT information, device identifiers, and service status logs, posing significant risks to vessel operations and security. This incident underscores the growing cybersecurity challenges in the maritime industry, especially as operational technology systems become increasingly interconnected. The exposure of critical navigation and operational data highlights the urgent need for robust security measures and regular vulnerability assessments to protect against potential cyber threats targeting maritime infrastructure.
3 weeks ago
Kill Chain
MacGregor VDR G4e Vulnerabilities Highlight Maritime Cybersecurity Challenges
In May 2026, multiple critical vulnerabilities were identified in the MacGregor Voyage Data Recorder (VDR) G4e, a maritime device essential for recording navigational and operational data. These vulnerabilities, including the use of default and hard-coded credentials, insufficiently protected passwords, and improper access controls, could allow unauthorized attackers to gain administrator access to the device. Such exploitation poses significant risks, including unauthorized data access, manipulation, or deletion, potentially compromising maritime safety and incident investigations. This incident underscores the pressing need for enhanced cybersecurity measures in maritime systems. As vessels increasingly integrate networked technologies, the attack surface expands, making it imperative to address security flaws promptly. The vulnerabilities in the VDR G4e highlight the broader challenge of securing critical infrastructure against evolving cyber threats.
3 weeks ago
Kill Chain
Escalation of Iranian Cyber Attacks Post-2026 Military Strikes
In response to the joint U.S.-Israeli military strikes on February 28, 2026, Iranian-affiliated cyber actors have intensified their operations targeting U.S. critical infrastructure. Utilizing tactics such as brute force attacks, password spraying, and exploitation of unpatched vulnerabilities, these actors aim to disrupt services and exfiltrate sensitive data. Notably, sectors including energy, defense, and public health have reported increased intrusion attempts, with some incidents leading to operational disruptions and data breaches. This escalation underscores the persistent cyber threat posed by Iranian state-sponsored and aligned groups, even amidst kinetic military engagements. Organizations are urged to bolster their cybersecurity postures, as the likelihood of retaliatory cyber operations remains high, potentially leading to significant operational and reputational impacts.
3 months ago
Kill Chain
MuddyWater's Operation Olalampo: A New Era of Cyber Threats in MENA
In early 2026, the Iranian state-sponsored APT group MuddyWater launched 'Operation Olalampo,' targeting organizations across the Middle East and North Africa (MENA) region. The campaign utilized sophisticated spear-phishing emails with malicious Microsoft Office documents to deploy new malware families, including GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor. These tools enabled the attackers to perform system reconnaissance, execute remote commands, and exfiltrate sensitive data, compromising entities in sectors such as telecommunications, government, and energy. This incident underscores a significant evolution in MuddyWater's tactics, notably their adoption of Rust-based malware and AI-assisted development processes. The group's enhanced capabilities and persistent targeting of critical infrastructure highlight the escalating cyber threat landscape in the MENA region, emphasizing the need for robust cybersecurity measures and vigilance against advanced persistent threats.
4 months ago
Kill Chain
How Insider Threats and Malware Breached Rotterdam and Antwerp Ports
Between September 2020 and April 2021, a Dutch national infiltrated IT systems across major European ports, including Rotterdam and Antwerp, by leveraging insider access at a logistics firm. Employees inserted USB sticks laden with malware, providing the hacker with persistent access to sensitive server infrastructure. Through remote access tools, the attacker intercepted data in transit, exfiltrated critical databases, and enabled large-scale smuggling operations—including the undetected import of 210 kg of cocaine—while also attempting extortion and resale of malware. This incident highlights the evolving intersection of cybercrime with organized crime, particularly how threat actors exploit insider vectors to orchestrate large-scale physical and digital breaches. The case underscores urgent regulatory and cyber defense challenges facing port operators and logistics networks globally.
5 months ago
Kill Chain
MuddyWater Deploys RustyWater RAT: 2026 State-Sponsored Espionage Hits Middle East
In January 2026, the Iranian state-aligned threat actor MuddyWater (also known as Mango Sandstorm and TA450) executed a targeted spear-phishing campaign against diplomatic, maritime, financial, and telecom organizations in the Middle East. Attackers used icon-spoofed phishing emails with malicious Microsoft Word documents, luring victims to enable macros which deployed the RustyWater remote access trojan—a Rust-based modular implant offering asynchronous command-and-control, anti-analysis techniques, registry persistence, and capability to expand post-compromise operations. The campaign reflects MuddyWater’s ongoing evolution from using commercial RATs to custom malware, with RustyWater providing high stealth and operational flexibility. This incident highlights the growing sophistication of state-affiliated threat actors leveraging new malware frameworks and advanced phishing tradecraft. MuddyWater’s rapid shift to Rust-based tooling demonstrates a broader attacker trend toward custom, evasive, and cross-platform implants targeting critical infrastructure and sensitive sectors.
5 months ago
Kill Chain
How a Latvian Insider Hacked an Italian Ferry's IoT Systems in 2025
In December 2025, an Italian ferry operator experienced a significant cybersecurity breach when a Latvian national was arrested for installing malware directly onto the vessel's onboard systems. Unlike a remote attack, the malware was physically introduced, potentially via a compromised insider or unauthorized access point. This compromised the ferry's IoT devices, impacting operational systems and potentially exposing sensitive data in transit. The incident raised immediate safety and privacy concerns and temporarily disrupted critical ferry services, drawing attention to the security of maritime transportation and IoT infrastructure. This event illustrates the mounting risks associated with connected operational technology in critical transportation sectors. As attackers increasingly target IoT and cyber-physical systems — particularly with the rise of insider-enabled methods — organizations must prioritize endpoint hardening, east-west traffic monitoring, and full-stack threat detection to safeguard vital infrastructure.
5 months ago
Kill Chain
Latvian Crew Arrested After Malware Attack on Italian Ferry: 2024 Maritime Cybersecurity Wake-Up Call
In June 2024, French law enforcement arrested two Latvian crew members aboard an Italian passenger ferry, the 'Cruise Bonaria,' after discovering they had installed malware on the ship’s critical systems. The suspects, employed as technicians, reportedly leveraged their privileged access to compromise the vessel’s automation and navigation controls. Investigators believe the malware was capable of allowing remote control over ship operations, raising concerns about the safety of passengers and the secure operation of maritime infrastructure. The incident temporarily disrupted the ferry's operations as authorities worked to contain the threat, analyze the infected systems, and restore normalcy while ensuring no lingering backdoors remained. This incident is a stark reminder of growing cyber risks targeting OT (operational technology) environments in critical transport sectors. The arrest coincides with heightened industry and regulatory attention on supply chain integrity, insider threats, and the urgent need for advanced monitoring and segmentation to protect safety-critical infrastructure.
5 months ago
Kill Chain
Broadside Mirai Variant Disrupts Maritime Logistics Sector in 2024
In early 2024, a novel Mirai variant dubbed 'Broadside' was discovered targeting maritime logistics organizations by exploiting a critical command injection flaw in exposed DVR systems. Attackers leveraged this vulnerability to gain persistent access, hijack the devices, and enable lateral movement across internal shipping infrastructure. Once compromised, infected endpoints became part of a botnet, amplifying the campaign’s impact and potentially threatening the operational continuity of global maritime logistics firms. The incident underscores growing risks faced by critical infrastructure sectors as IoT-targeting malware evolves. Mirai and its variants continue to adapt, now seeking less-conventional, specialized equipment in sectors previously overlooked, further complicating defense and regulatory compliance for logistics organizations worldwide.
5 months ago
Kill Chain
How Iran Blended Cyber and Kinetic Strikes: The 2024 Critical Infrastructure Attack
In early 2024, Iranian state-sponsored threat actors coordinated sophisticated cyber-attacks in parallel with kinetic strikes targeting maritime and land-based assets in the Middle East. Leveraging advanced reconnaissance and lateral movement within targeted networks, attackers exploited encrypted and unencrypted traffic flows to identify critical systems and facilitate precision missile and drone attacks. These operations, often timed to coincide with physical assaults, compromised internal infrastructure, leading to service disruption, operational delays, and data exfiltration impacting both regional governments and commercial enterprises. This incident highlights a rapidly evolving threat landscape where nation-state adversaries integrate cyber intrusions with physical warfare. The tactical use of data from east-west traffic, paired with real-time targeting for kinetic operations, signals the urgent need for organizations to elevate network segmentation, encryption standards, and visibility to meet new regulatory and threat actor challenges.
5 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports