Maritime cybersecurity 2025 in numbers
Some still picture the maritime cyber threat as exclusively a matter of hijacked ships and tampered AIS transponders. By consolidating the incidents of 2025 in my own research dataset on maritime cyber incidents - one I built during my doctoral work and keep maintaining with my own means - I get a rather different, and sometimes more instructive, picture, because it rests on facts. I call this cyber incidentology, not to sound pompous, but because it is rich in lessons for prevention, protection and response.
This article is also available in French.
Two brief reminders before we start:
- these figures describe what was observed and publicly documented, not everything that happened. As you might guess, a good share of incidents never come to light. And the term “incident”, as you know, is a debated one. This overview is therefore an indicator of pressure, not an exhaustive census. That said, over one year and more than 430 recorded events, some broad trends emerge.
- we should also keep in mind the difficulty of doing open-source Cyber Threat Intelligence: that is, very often, relying on attacks claimed by the attacker rather than those confirmed by the targeted entities.
A persistent threat, with a marked rebound in 2025
After a decade of continuous growth, the volume of recorded maritime incidents had settled, in 2023 and 2024, on a high plateau, on the order of 350 incidents per year. In 2025 it climbs sharply again: more than 430 recorded incidents, a record. The sector therefore absorbs, each year, several hundred attacks, without the slightest let-up.

In 2025, this pressure was spread fairly evenly from one month to the next, with no marked respite. And it has a heavily dominant face: nearly two incidents out of three are distributed denial-of-service (DDoS) attacks, almost always hacktivist in origin. A single pro-Russian ecosystem, NoName057(16), accounts on its own for 221 of my annual records, more than half the total. Its favourite target is ports, well ahead of shipowners and shipyards. The geography mirrors that of the war: Italy comes clearly first among the countries hit, followed by Poland, Lithuania, Finland and Spain, depending on stances taken on Ukraine or on NATO and G7 meetings.

Should we be alarmed? Yes and no. A DDoS saturates a website or a portal, causes disruption, gets people talking, but stays reversible and almost never reaches the operating systems of the ship or the terminal. It’s mostly about making noise and being seen. The risk, here, is mainly to end up treating these alerts as scenery, and to lower our guard on the rest.
The noise must not hide the underlying trend
Beneath the hacktivist carpet-bombing, the ransomware threat keeps wreaking havoc among maritime SMEs. This threat accounts for about a quarter of the incidents I recorded in 2025, sharply up year on year, and its progression is more worrying than the DDoS peak, which is mostly a matter of volume.

The most active groups against the maritime sector (Akira, Qilin, Play) mainly target the periphery of ships: logisticians, freight forwarders, stevedores, equipment suppliers, shipyards. That, to my mind, is where the year’s most important signal lies. When you go after a supplier, you do not hit a single company: you reach, by ricochet, its entire customer base.
The most telling example of 2025 is the compromise, by the Rhysida ransomware, of a major Japanese supplier of navigation electronics (RADAR, ECDIS, Voyage Data Recorders, GNSS receivers, autopilots). Beyond the data theft, the attack disrupted service, software updates and the shipping of parts. Yet this manufacturer’s equipment is installed on thousands of vessels worldwide: this is the “one-to-N” risk in its purest form, where the failure of a single supplier propagates to an entire fleet. In the maritime world, understanding a system already amounts almost to intrusion, and compromising a single foothold can create a fleet-wide effect.
When a single point paralyses 116 ships
If proof were needed that the maritime sector can be hit far harder than with a mere DDoS, 2025 supplied it, on the political side this time. In March, an anti-Iranian hacktivist collective claimed the cutting of the SATCOM (VSAT) communications of 116 ships belonging to two sanctioned Iranian state shipowners, namely 50 tankers and 66 cargo ships.
The technical detail is instructive, and it says a great deal about the sector’s real fragility. The attackers did not target the ships one by one: they first compromised the two companies’ Iranian satellite-connectivity provider, then pivoted from that operator’s internal network to the onboard VSAT terminals. Analysis of the published screenshots shows exposed iDirect modems, with an accessible administration service and default credentials never changed, running versions of OpenSSH and OpenSSL that had been end-of-life for years. Once inside, the attackers wiped the modems’ storage partitions, a wiper technique directly comparable to the attack against Viasat / KA-Sat attributed to Russian military intelligence in 2022. Restoration was estimated at several weeks.
This is a far cry from the symbolic DDoS: prior reconnaissance of the fleet, exploitation of a supply chain, a destructive payload synchronised across 116 ships. This is exactly the kind of high-leverage operation that needs watching, and it is also what a fine-grained tracking of incidents, rather than a mere count, makes it possible to distinguish.
And what about GPS jamming and spoofing?
The usual areas are still hit, daily, by disruptions. The US/Iran conflict and the situation in the Near East have only sharply reinforced the GNSS jamming and spoofing zones, in the Persian Gulf and the eastern Mediterranean. These incidents are so frequent that trying to count them now offers only limited interest, or a wish to frighten with figures. Assume that, in these areas, trust in position, navigation and timing networks can only be limited, with all the consequences that may have on board (and ashore). The rest is just literature.
Let us also recall that GPS-related incident reports are also often laden with approximations. I have shown, regarding the famous collision off Oman regularly presented as a case of GPS spoofing, how a convenient hypothesis ends up circulating as an established fact. Caution, then, with stories that are wrapped up too neatly.
What to take away, and what to do
If I had to sum up the year in two developments:
- Hacktivist DDoS has become the dominant volume (two incidents out of three), noisy but reversible: it must not monopolise attention. Its background noise diverts us from the priorities. And our inability to make it stop can legitimately concern us.
- Ransomware is progressing and constitutes the real structuring risk, shifting towards the supply chain (equipment suppliers, shipyards, logisticians, service providers).
The tactics, techniques and procedures (TTPs) most often found are stable and unsurprising: phishing and targeted phishing (spearphishing) for initial access; credentials stolen by infostealers and then resold by Initial Access Brokers; exploitation of exposed remote-access services (VPN, RDP, SSH) and of unpatched end-of-life systems; double extortion combining data theft and encryption; and compromise of service providers to reach their customers in cascade.
The recurring vulnerabilities are, likewise, classics: default or weak credentials, multi-factor authentication that is absent or bypassable, a poorly managed Internet-exposed surface, late patching, end-of-life equipment and software, insufficient segmentation between business IT and industrial systems, and dependence on a single supplier.
The good news is that the most effective protections are known and accessible. In order of impact: deploy phishing-resistant multi-factor authentication, everywhere; reduce and harden the exposed surface (inventory, closing unnecessary remote accesses, rigorous patch management); take care of identity hygiene and monitor credential leaks; segment networks and test offline backups; equip yourself with anti-DDoS protection and a continuity plan so as not to panic in the face of noise; and finally carry contractual cyber requirements through to equipment suppliers and service providers, since a growing share of the risk now passes through them.
In practice, the scenario to prepare for as a priority is the prolonged unavailability of a link in the chain: a freight forwarder, a shipping agent or an electronics supplier at a standstill for two weeks, along with all the activity that depends on it. That’s the risk worth budgeting for and testing in 2026 - concrete, already common, and far likelier than the headline-grabbing ship hijacking.
Olivier JACQ, President and founder of CYBERMOOV Consulting.