[Spotlight Post] Why Are Merchant Ships Hacked? The Motives, in Numbers

💡 Insight Data-Driven Maritime Cyber Motive Analysis

Why Are Merchant Ships Hacked? The Motives, in Numbers

Not the romance of piracy — the geography of motive the data actually shows.

Julius
Julius
Maritime Technical Consultant · Shipboard Cybersecurity & Compliance
- LinkedIn : https://www.linkedin.com/in/abysstoinfinity

Say "ship hacking" and most people picture a hacker seizing the helm of a giant container vessel from afar. But the terrain that maritime cybersecurity statistics actually describe is far less dramatic — and far more economic. When commercial ships are attacked, what are those attacks actually for? The short answer: the overwhelming majority chase money, and over the past few years geopolitics has risen fast as the second axis.

Financial First Ransomware & BEC State-Backed APTs Hacktivism GPS/AIS Spoofing Shadow Fleet

1. First, an Honest Limit — There Is No "Exact Percentage"

One uncomfortable fact up front: maritime cyber incidents are structurally under-reported. Owners are reluctant to disclose them for reasons of reputation, charter contracts, and insurance premiums, and because shipboard systems are isolated from shore IT, detection itself lags. So no single "motive A is exactly X%" number deserves full trust — read every figure below knowing each comes from a different compiler, definition, and population.

Even so, the direction is legible. The most widely cited structured dataset is the Maritime Cyber Attack Database (MCAD) from NHL Stenden University, collecting shipping-sector incidents back to 2001 (from ~160 records at its 2023 launch to around 290 since). Layer on the managed-detection (SOC) data of the provider Marlink and threat-intelligence reports, and the geography of motive emerges.

2. Money — A Dominant First, Led by Maritime Ransomware

The most common motive is simple: money. It splits into three streams.

Ransomware — encrypting a vessel's or terminal's Operating Systems (TOS) to paralyze cargo handling and demand a ransom. Large port terminals are especially attractive targets.
Data theft & resale — stealing ship and cargo information to resell on the dark web, or holding it hostage for negotiation.
Fraud (BEC) — business email compromise, hijacking accounts to divert charter or bunker payments.
One measured figure: across the ~1,800 vessels Marlink's SOC monitored in H1 2024, it logged 23,400 malware detections and 178 ransomware detections — of which 79 were major incidents handled directly.

The common entry point for all three streams is, more often than not, phishing — one tally attributes an estimated ~48% of observed 2024 maritime incidents to it.

3. State-Backed Espionage — A Fast-Rising Second

The second axis is geopolitics. State-backed APT groups target shipping and ports for espionage and sabotage. The threat-intelligence firm Cyble counted, as of 2025, more than ten APT groups going after maritime-related targets — Chinese-linked (Mustang Panda, APT41), Russian-linked (APT28, Turla), and Iranian-linked (Crimson Sandstorm) among them.

Their objective is not immediate cash but information and leverage: mapping logistics flows, monitoring sanctions evasion, pre-positioning the ability to paralyze a port if it ever comes to that.

4. Hacktivism — The Proxy War of Ideology

The third is ideology — attacks making ships tied to a particular nation or company the target of political messaging. One analysis holds hacktivism accounts for about 16% of maritime incidents and has grown sharply since 2022 (a single-source figure, so read with care).

The examples are concrete — the anti-Iran group Lab Dookhtegan severed the VSAT satellite-communication systems of 116 Iranian oil tankers in March and again in August 2025, the August operation reaching the provider-level infrastructure supplying the fleet. Pro-Palestinian groups striking Israel-linked vessels fall in the same category.

5. Navigation Interference (GPS/AIS) — A Different Category

A common misunderstanding must be corrected. GPS spoofing and AIS spoofing fill the news, but their purpose runs against the grain of the three categories above.

AIS Spoofing — Self-Disguise
Largely not an "attack on a ship" but a disguise a ship performs on itself — the "shadow fleet" carrying sanctioned cargo and falsifying its position. Kpler identified 261 vessels that spoofed AIS and were later sanctioned (Jan 2024 – Jul 2025).
GPS Jamming — State-Level Disruption
Mostly regional interference at the state/military level, concentrated in conflict waters — the Black Sea, Red Sea, Strait of Hormuz, Eastern Mediterranean. In April 2024, one incident displayed 117 vessels simultaneously at Beirut Airport.

In short, navigation interference is better understood through sanctions evasion (by the owner itself) or state-level disruption than through "a hacker robbing a ship for money."

6. Insiders and Opportunism

Small in share but not to be dismissed: insiders. The 2014 insider attack by a systems administrator on a US aircraft carrier, recorded in MCAD, is the emblematic case — plus the opportunistic scanning and infection that chases vulnerabilities with no specific aim.


What the Statistics Draw

First is money. Ransomware, data theft, and fraud form the mainstream of attacks on commercial ships.
Second is geopolitics. State-backed espionage and hacktivism have grown their share fast since 2022.
Navigation interference is separate — mostly sanctions evasion or state disruption, not "hacking aimed at a ship."

Most of it is money, and a growing share is geopolitics. Total incidents rose ~103% in 2025 (CYTUR 2026).

Why This Distinction Matters

Reading motive accurately is the starting point of defense. If financial motive dominates, then for most owners the first line of defense is phishing prevention and backup-and-recovery — not the cinematic helm-seizure scenario. An owner on routes tied to a particular state or conflict must additionally fold geopolitical targeting and navigation interference into its threat model.

The answer to "what are merchant-ship hacks for" is more prosaic than the flashy imagination suggests. Most of it is money, and a growing share is geopolitics — and knowing that is the first button to fasten in deciding where a limited budget goes first.

Key Sources

· MCAD (NHL Stenden) — structured incident database, 2001–present, ~290 records
· Marlink SOC H1 2024 — 1,800 vessels / 23,400 malware / 178 ransomware / 79 major incidents
· CYTUR 2026 white paper (~103% YoY) · Cyble (APT list, hacktivism) · Kpler (261 AIS-spoofing vessels)
· ThreatScene (phishing ~48%) · Scientific American (117 vessels at Beirut, GPS spoofing)

This article is a general analysis of publicly reported maritime cyber-incident data. Figures come from different compilers with differing definitions and populations, and maritime incidents are structurally under-reported; treat all percentages as directional rather than exact.

#MaritimeCybersecurity #ShipHacking #Ransomware #GPSSpoofing #AISSpoofing #ShadowFleet #ThreatIntel
Julius
Julius
Maritime Technical Consultant · Shipboard Cybersecurity & Compliance

Owner-side maritime cybersecurity advisor covering IACS UR E26/E27 compliance, zone and conduit design, and OT/IT security architecture for commercial vessels — working across LR, ClassNK, DNV, ABS, and BV newbuilding projects.

🌐 More Articles ↗

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments

  1. Recent Iranian moves to blockade the strait can also be seen as a strategic act combining political and economic objectives. Cyber attacks are, at their core, essentially the same. Hacking is not merely a technical act — it is a means to achieve clear objectives: gaining political influence, securing economic benefit, disrupting supply chains, and strengthening negotiating leverage. Ultimately, controlling a physical strait and targeting digital maritime infrastructure differ only in method. The strategic direction and intent behind both are one and the same.

    ReplyDelete

Post a Comment