Somewhere in the Persian Gulf right now, a tanker's GPS is lying to its crew. The ship thinks it's in international waters. It is not. That lie was engineered in software, deployed in seconds, and it is just one of the ways that AI-powered cyberattacks are quietly rewriting the rules of maritime security — and the consequences stretch far beyond any single vessel.
Shipping carries more than 90 percent of everything traded internationally. It is, in the most literal sense, the circulatory system of the global economy. And for most of its history, its greatest threats came from storms, pirates, and reefs. That calculus has changed. The maritime industry is now one of the most aggressively targeted sectors in global cybersecurity — and the same artificial intelligence tools being adopted to make shipping smarter, faster, and cheaper are being weaponized by attackers to devastating effect.
This is not a hypothetical future scenario. It is the documented present. Two separate research reports published in the last two weeks of February 2026 — one from maritime cybersecurity firm Cydome and one from maritime threat intelligence platform CYTUR Inc. — have laid out a picture that every port authority, shipping executive, and security professional needs to understand. What follows is a full breakdown of what is happening, why it matters, and what the attack chain actually looks like from a technical standpoint.
The Numbers That Should Keep You Up at Night
Let's start with the raw data, because the trajectory here is not a gradual slope — it is a near-vertical climb.
The CYTUR Maritime Cyber Threat White Paper 2026, published in February and based on data collected through the company's maritime-specific threat intelligence platform CYTUR-TI, reported that cyberattacks targeting the global maritime industry surged 103 percent in 2025, rising from 408 incidents in 2024 to 828 last year. That is not 828 attempts. That is 828 recorded incidents — meaning breaches, disruptions, ransomware deployments, navigational interference events, or data theft operations that actually registered on the threat intelligence grid. Given how notoriously underreported maritime incidents are — especially when shipping companies fear regulatory scrutiny or reputational damage — the real number is almost certainly higher.
Meanwhile, Cydome's Maritime Cyber Trends Report 2026: What Shipping Executives Need to Know, which draws on operational data and expert commentary from 13 maritime industry professionals including shipowners and classification societies, focuses on a different but equally alarming dimension: the speed of attack. In 2018, the window between a software vulnerability being published and an attacker exploiting it in the wild was an average of 63 days — enough time for a security team to identify, test, and patch a flaw. By 2024, that window had collapsed to five days. Today, AI-driven hacking tools have compressed it to under 48 hours, with many systems being targeted within just 15 minutes of a flaw being detected.
"Attacks are inevitable and, as incident analysis indicates, are becoming more sophisticated; the differentiator will be how quickly and safely a shipping company can detect, respond, and continue operations." — Panagiotis Anastasiou, Cybersecurity Strategy Leader, Bureau Veritas Marine & Offshore (Maritime Technology Review, March 2026)
Sixty percent of newly disclosed software vulnerabilities across ships, ports, and offshore assets are now weaponized within 48 hours. That means the traditional patch-and-pray security model — which was already strained on land — is functionally dead at sea, where vessels may spend weeks between port visits, software updates are cumbersome, and IT support is often a satellite call away.
CYTUR-TI is a maritime-specific threat intelligence platform operated by CYTUR Inc., a South Korean cybersecurity firm focused exclusively on the shipping industry. Unlike general-purpose threat intelligence feeds, it aggregates incident data specific to vessels, ports, maritime authorities, and offshore assets. The 2026 White Paper is the company's most comprehensive public release to date. Source: Cyprus Mail, February 2026.
The Ship Is a Floating Data Center — And It Has Default Passwords
To understand why ships are such attractive targets, you need to understand what a modern vessel actually is from a systems perspective. It is not a simple mechanical machine. A contemporary commercial vessel is a densely networked environment that includes bridge navigation systems (ECDIS, AIS, radar, GPS/GNSS), satellite communications infrastructure (VSAT terminals), engine and propulsion control systems, ballast water management systems, Integrated Automation Systems (IAS), crew networks and personal devices, and cargo management platforms — all interconnected to varying degrees, all increasingly linked to shore-based systems for monitoring and fleet management.
The Electronic Chart Display and Information System, or ECDIS, is the digital replacement for paper nautical charts. It is what a ship's officer looks at when navigating. Compromise the ECDIS, and you can manipulate the chart data the crew is relying on to avoid obstacles, narrow channels, and sovereign territorial boundaries. The Automatic Identification System, or AIS, is the transponder system that broadcasts a vessel's identity, position, course, and speed to other ships and shore stations. It is fundamental to collision avoidance and to international maritime law enforcement. Spoof the AIS signal, and a ship can appear to be somewhere it is not — or disappear from tracking entirely.
"In late 2023, over 100 cargo ships suddenly appeared at Beirut airport on AIS tracking systems — an impossible scenario attributed to widespread GPS spoofing in the Eastern Mediterranean during the Israel-Hamas conflict." — Crisis24, July 2025
That incident is one of the clearest public illustrations of how GPS spoofing works against maritime navigation in practice. Researchers have demonstrated in controlled environments that an attacker who can inject counterfeit GPS signals — broadcasting slightly incorrect coordinates — can steer a vessel off course without the crew having any obvious indication that anything is wrong. The ECDIS displays the spoofed position. The chart looks correct. The ship moves toward whatever the attacker wants it to approach: a sandbar, a territorial boundary, or a collision course.
In geopolitically sensitive chokepoints, this is not theoretical. GPS spoofing and jamming in regions like the Persian Gulf and Strait of Hormuz have been documented in 2024 and 2025, with ships manipulated to display positions within a specific country's territorial waters even while navigating international waters — creating pretexts for vessel seizure. In the Black Sea, similar tactics have been used to disorient tankers operating near conflict zones.
VSAT — Very Small Aperture Terminal — is the satellite internet infrastructure that keeps modern ships connected. Security researchers have demonstrated that it is possible to remotely access a vessel's VSAT terminal and reconfigure the ECDIS to subtly shift GPS coordinates. Weaknesses in VSAT connectivity management software can create a single point of failure, allowing attackers to disrupt communications across an entire fleet simultaneously. Legacy COBHAM SAILOR 900 VSAT systems (CVE-2022-22707, CVE-2019-11072, and CVE-2018-19052) remain unpatched on vessels worldwide. Source: Cyble, July 2025.
The ethical hacker demonstration referenced by Crisis24 deserves to be taken seriously: a researcher accessed a vessel's VSAT terminal remotely and reconfigured the ECDIS to subtly shift GPS coordinates. The words "subtly shift" are doing a lot of work in that sentence. A minor offset is invisible at sea in clear conditions. In fog, in a narrow channel, in a crowded anchorage, or approaching a port at night, a minor offset is a disaster.
Compounding all of this is the human factor. Ethical hackers have found that shipboard systems commonly operate with default passwords shared across users, outdated and unpatched operating systems, and inadequate segmentation between IT and OT networks. The physical attack surface matters too: USB ports on ECDIS terminals are frequently accessible to third parties who board the ship — surveyors, port agents, port state control officers, and vendors — all of whom could intentionally or inadvertently introduce malicious code. Five of 24 mariners interviewed in a 2025 academic study published on arXiv specifically flagged supply chain vulnerabilities: the fear that navigation equipment or ship computers arrive with malicious alterations already baked in at the manufacturing stage.
AI vs. AI: The Automated Arms Race at Sea
Here is the piece of this story that distinguishes 2026 from every prior year of maritime cybersecurity concern: the attacker is no longer just a human sitting at a keyboard. The attacker is increasingly an AI-driven system operating autonomously, scanning for vulnerabilities, selecting targets, crafting exploit payloads, and executing attacks at machine speed — all without meaningful human oversight on the offensive side.
Cydome's report notes that 87 percent of organizations now view AI-related vulnerabilities as the fastest-growing risk they face. That figure encompasses both the risk of AI systems being targeted and the risk of AI being used as a weapon against them. The distinction matters less than the aggregate effect: the traditional security response window has collapsed to the point where human-speed defenses cannot keep pace with machine-speed attacks.
Attacks on edge network devices — the routers, firewalls, and VPN gateways that connect ships to the broader internet and to shore-based management systems — increased 800 percent in 2025, with 20 percent of those attacks targeting firewalls and VPN infrastructure directly. These are not brute-force volume attacks. They are targeted, sophisticated intrusions into the digital gateways that every modern ship depends on for operational connectivity.
The Lab Dookhtegan incident is the most dramatic real-world example of what happens when that gateway is successfully compromised at scale. The hacktivist group — an anti-Iranian-government collective responsible for previous leaks of IRGC-linked infrastructure data and the 2019 exposure of APT34's hacking tools — compromised the infrastructure of a maritime connectivity provider and used that access to wipe VSAT partitions on the hard drives of 116 tankers simultaneously. Every vessel in that fleet lost internet connectivity instantly. Ship-to-shore VOIP communications went dark. The operational, safety, and compliance implications of 116 tankers losing communications simultaneously — some of them transiting congested or sensitive waters — are difficult to overstate.
"In 2026, the most significant cybersecurity risk will come from inside the perimeter. As organisations become more digitally integrated, insider risk — whether malicious, compromised, or accidental — will be one of the hardest challenges to detect and manage." — Oystein Brekke-Sanderud, Head of Maritime OT/ICS Security, NORMA Cyber (Smart Maritime Network, March 2026)
The CYTUR report adds a dimension that deserves its own examination: the emergence of what it calls "Cyber Pirates" in the Strait of Malacca and South China Sea. Unlike traditional pirates who operate opportunistically and indiscriminately, these actors are highly targeted. They use cyberattacks to identify high-value cargo, disable vessel defenses or communications, and coordinate physical boarding operations with digital reconnaissance. The digital and physical attack surfaces are converging in real time.
At least a dozen Advanced Persistent Threat groups — the nation-state-affiliated or state-tolerated hacking organizations responsible for the most sophisticated and persistent cyberattacks globally — have targeted the maritime industry in the last year alone, according to Cyble's threat intelligence reporting. That is not the behavior of opportunistic criminals. That is a strategic targeting pattern consistent with nation-state interest in mapping, disrupting, or gaining leverage over global supply chains.
The supply chain dimension extends beyond connectivity providers. In October 2025, Japanese navigation equipment manufacturer Furuno Electric — whose radar systems, ECDIS units, and voyage data recorders are installed on vessels worldwide — was hit by Rhysida ransomware. The attack temporarily froze maintenance operations, software updates, and spare parts shipments, creating what CYTUR's white paper described as a "safety vacuum" across fleets dependent on Furuno equipment. An OEM compromise does not require a single vessel to be breached directly; it propagates risk laterally across every ship running that manufacturer's systems.
Ghost Tankers, Deepfake CFOs, and the $25 Million Voicemail
The technical attack vectors are alarming enough. The social engineering dimension is where AI transforms the threat into something genuinely new — and almost impossible to defend against with conventional awareness training.
Cydome's report documents that 83 percent of phishing emails targeting multinational maritime crews are now AI-generated, written in the native language of the recipient and tailored to their cultural context to establish immediate trust. A Filipino engineer receives a phishing email in Tagalog that references his specific vessel, his route, and a plausible operational scenario. A Greek captain gets a near-perfect imitation of a message from his company's shore-based technical superintendent. The AI that generates these messages draws on whatever public and stolen data is available about the target — LinkedIn profiles, company websites, previous data breaches — and produces something indistinguishable from legitimate correspondence.
Voice phishing — vishing — has surged 1,600 percent, driven by AI voice cloning tools that can replicate an executive's speech patterns, tone, dialect, and cadence from a relatively small audio sample. Identity fraud has risen 195 percent, fueled by AI-generated images, deepfake video, and automated location-masking techniques that allow attackers to impersonate individuals in video calls with high conviction.
The financial consequences are already documented. A European energy major — the incident documented in Cydome's 2026 Maritime Cyber Trends Report — lost $25 million when attackers deployed a deepfake audio clone of the company's CFO to authorize an urgent wire transfer. This is a distinct incident from the widely reported 2024 Arup video-deepfake case; what makes this one particularly relevant to maritime operators is that it was a pure vishing attack — voice only, no video call required. The voice matched the CFO's tone, dialect, and cadence so precisely that staff complied without hesitation. There was no reason not to. The voice was correct. The urgency was familiar. The request, while large, was within the range of transactions that executive might legitimately authorize.
Ship crews operate in high-pressure, time-sensitive environments where decisions are made quickly and verification is often impractical. A chief officer receiving an urgent instruction from what sounds like the company's operations director while managing a port entry has limited time and limited means to independently verify the call. That operating environment is exactly what AI-powered social engineering is designed to exploit. The cognitive pressure of the maritime work environment is a vulnerability that no firewall addresses.
On the navigation disruption front, the GPS spoofing campaigns in the Persian Gulf have taken an especially cynical form. According to CYTUR's 2026 threat intelligence data, tankers have been manipulated to display their position as being within a specific country's territorial waters while actually navigating in international waters — constructing a legal pretext for the forcible interception or seizure of the vessel. This is GPS spoofing deployed not as a navigational prank but as an instrument of geopolitical coercion, generating a fake paper trail that can be used to justify a state action. The vessel's own instruments become evidence against it.
In the first half of 2024 alone, Marlink — which provides managed connectivity services to the maritime industry — tracked 23,400 malware detections and 178 ransomware attacks across just 1,800 monitored vessels. Ransomware has "bricked" vessels: encrypted their critical systems so thoroughly that ships have been forced to anchor for days while IT teams scrambled to restore functionality. Port infrastructure has faced the same pressure: in August 2024, the Port of Seattle — which also operates Seattle-Tacoma International Airport — was struck by a Rhysida ransomware attack that took down baggage systems, check-in kiosks, flight information displays, and the port's website for weeks. Major global hub ports including Rotterdam, Los Angeles, and Busan have emerged as consistent ransomware targets, with attackers encrypting terminal operating systems to halt container loading and unloading operations and demand significant ransoms.
The Regulatory Reality Check
The regulatory landscape is evolving — but it is evolving at bureaucratic speed while threats evolve at algorithmic speed. That gap is where the danger lives.
The International Maritime Organization's guidelines integrate cybersecurity into Safety Management Systems under the ISM Code. The International Association of Classification Societies issued Unified Requirements UR E26 and UR E27, which entered into force in July 2024 and require cybersecurity safeguards to be embedded at the ship design and construction stage for vessels contracted after that date. The U.S. Coast Guard's 2025 cybersecurity rule mandates that vessels and facilities appoint Cybersecurity Officers, report incidents to the National Response Center, train staff, and implement formal cybersecurity measures. The EU's NIS2 Directive requires maritime operators to implement risk management measures and secure supply chains.
The problem is compliance. The October 2024 transposition deadline passed with only four EU Member States having implemented NIS2 into national law, prompting the European Commission to open infringement proceedings against 23 non-compliant states in November 2024. By July 2025, that number had improved to approximately 14 states with completed transposition — meaning roughly half the EU remained in non-compliance more than nine months past the deadline, with the Commission having escalated to formal reasoned opinions against 19 states and threatening referral to the Court of Justice of the EU. Meanwhile, the IACS requirements, while technically sound, apply only to ships contracted after July 2024. The existing global fleet — tens of thousands of vessels — operates under legacy standards that were never designed with AI-driven cyberattacks in mind.
"The incident data from 2024 and 2025 proves that maritime cybersecurity is no longer an 'option' but a matter directly linked to a vessel's 'right to operate.'" — Yong-hyun Cho, CEO, CYTUR Inc. (Cyprus Mail, February 2026)
NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) has explicitly warned that critical port infrastructure — which handles roughly 80 percent of global trade — is actively targeted by threat actors linked to Russia, Iran, and China. This is not the cybercrime ecosystem chasing financial return. This is strategic targeting of supply chain infrastructure by nation-states that have assessed maritime disruption as a lever of geopolitical power.
The regulatory framework was largely designed to address the cybercrime threat model. It is being applied against a threat landscape that now includes nation-state actors, AI-automated attack pipelines, and the convergence of cyber and physical maritime threats. Katerina Raptaki, IT Manager at Navios, one of the world's largest shipping groups, captured the accountability vacuum precisely in Cydome's report: shipping companies are deploying AI faster than they are defining who is responsible when it goes wrong.
Cybersecurity researchers have also flagged a specific set of critical vulnerabilities requiring immediate attention from maritime security teams: CVE-2025-52579 in Emerson's ValveLink software, which poses risk to FIELDVUE controllers used in marine ballast water, fuel handling, and engine control; CVE-2024-2658 in Schneider Electric's EcoStruxure platform, affecting industrial control systems used in ship automation; and CVE-2024-20418 in Cisco's Ultra-Reliable Wireless Backhaul, impacting port and terminal connectivity. These are not theoretical weaknesses — they are documented, assigned CVE identifiers, and present on operational maritime systems worldwide.
Key Takeaways
- The attack window is now measured in minutes, not months. AI-driven exploit tools compress the time from vulnerability disclosure to active attack to under 15 minutes in documented cases. Traditional patch cycles and scheduled maintenance windows are structurally incompatible with this threat timeline.
- OT systems on vessels are now primary targets, not afterthoughts. Attackers are no longer satisfied with corporate IT network breaches. They are penetrating ballast water management systems, ECDIS, AIS, and propulsion controls — systems where compromise carries physical and safety consequences, not just data loss.
- AI-powered social engineering is bypassing human defenses entirely. When 83 percent of phishing emails are AI-generated in the recipient's native language, and voice cloning can replicate a CFO convincingly enough to authorize a $25 million wire transfer, awareness training alone is not a defense strategy.
- The connectivity layer is the kill switch. The Lab Dookhtegan incident demonstrated that compromising a single connectivity provider's infrastructure can simultaneously sever communications for more than 100 vessels. The group is an anti-Iranian-government hacktivist collective, not a state actor — which underscores how accessible fleet-level disruption capability has become. VSAT infrastructure is simultaneously indispensable and critically underprotected.
- GPS spoofing is being weaponized geopolitically. Ships in sensitive regions face GPS manipulation not just for navigational disruption but to manufacture legal pretexts for state vessel seizures. The vessel's own navigation instruments are being turned into evidence against it.
- Regulatory frameworks are behind the threat curve. IACS UR E26 and E27, NIS2, and IMO guidelines represent meaningful progress — but they apply primarily to new builds and compliant jurisdictions. The existing global fleet remains largely exposed, and enforcement is inconsistent at best.
The maritime industry sits at an intersection that makes it uniquely vulnerable: it carries irreplaceable global trade volume, it is digitizing at speed, its workforce is globally dispersed and multi-lingual, its vessels spend weeks between opportunities for software maintenance, and its operational technology was largely designed in an era when cybersecurity was someone else's problem. AI has not created these vulnerabilities — but it has handed attackers a capability to exploit all of them simultaneously, at scale, autonomously, and faster than any human security team can currently track.
The next major maritime cyber incident may unfold before any human in the response chain even realizes it has begun. That is not alarmism. It is the stated assessment of the security professionals who watch this space every day — and it is the logical conclusion of a threat that has already demonstrated it can take 116 tankers offline with a single well-placed intrusion, or freeze the maintenance and parts pipeline for an entire class of navigation equipment by hitting its manufacturer. The ocean is now the attack surface. The ships are the endpoints. And the clock is running in milliseconds.