[Spotlight Post] Why Are Merchant Ships Hacked? The Motives, in Numbers
Why Are Merchant Ships Hacked? The Motives, in Numbers
Not the romance of piracy — the geography of motive the data actually shows.
- LinkedIn : https://www.linkedin.com/in/abysstoinfinity
Say "ship hacking" and most people picture a hacker seizing the helm of a giant container vessel from afar. But the terrain that maritime cybersecurity statistics actually describe is far less dramatic — and far more economic. When commercial ships are attacked, what are those attacks actually for? The short answer: the overwhelming majority chase money, and over the past few years geopolitics has risen fast as the second axis.
1. First, an Honest Limit — There Is No "Exact Percentage"
One uncomfortable fact up front: maritime cyber incidents are structurally under-reported. Owners are reluctant to disclose them for reasons of reputation, charter contracts, and insurance premiums, and because shipboard systems are isolated from shore IT, detection itself lags. So no single "motive A is exactly X%" number deserves full trust — read every figure below knowing each comes from a different compiler, definition, and population.
Even so, the direction is legible. The most widely cited structured dataset is the Maritime Cyber Attack Database (MCAD) from NHL Stenden University, collecting shipping-sector incidents back to 2001 (from ~160 records at its 2023 launch to around 290 since). Layer on the managed-detection (SOC) data of the provider Marlink and threat-intelligence reports, and the geography of motive emerges.
2. Money — A Dominant First, Led by Maritime Ransomware
The most common motive is simple: money. It splits into three streams.
The common entry point for all three streams is, more often than not, phishing — one tally attributes an estimated ~48% of observed 2024 maritime incidents to it.
3. State-Backed Espionage — A Fast-Rising Second
The second axis is geopolitics. State-backed APT groups target shipping and ports for espionage and sabotage. The threat-intelligence firm Cyble counted, as of 2025, more than ten APT groups going after maritime-related targets — Chinese-linked (Mustang Panda, APT41), Russian-linked (APT28, Turla), and Iranian-linked (Crimson Sandstorm) among them.
Their objective is not immediate cash but information and leverage: mapping logistics flows, monitoring sanctions evasion, pre-positioning the ability to paralyze a port if it ever comes to that.
4. Hacktivism — The Proxy War of Ideology
The third is ideology — attacks making ships tied to a particular nation or company the target of political messaging. One analysis holds hacktivism accounts for about 16% of maritime incidents and has grown sharply since 2022 (a single-source figure, so read with care).
The examples are concrete — the anti-Iran group Lab Dookhtegan severed the VSAT satellite-communication systems of 116 Iranian oil tankers in March and again in August 2025, the August operation reaching the provider-level infrastructure supplying the fleet. Pro-Palestinian groups striking Israel-linked vessels fall in the same category.
5. Navigation Interference (GPS/AIS) — A Different Category
A common misunderstanding must be corrected. GPS spoofing and AIS spoofing fill the news, but their purpose runs against the grain of the three categories above.
In short, navigation interference is better understood through sanctions evasion (by the owner itself) or state-level disruption than through "a hacker robbing a ship for money."
6. Insiders and Opportunism
Small in share but not to be dismissed: insiders. The 2014 insider attack by a systems administrator on a US aircraft carrier, recorded in MCAD, is the emblematic case — plus the opportunistic scanning and infection that chases vulnerabilities with no specific aim.
What the Statistics Draw
Most of it is money, and a growing share is geopolitics. Total incidents rose ~103% in 2025 (CYTUR 2026).
Why This Distinction Matters
Reading motive accurately is the starting point of defense. If financial motive dominates, then for most owners the first line of defense is phishing prevention and backup-and-recovery — not the cinematic helm-seizure scenario. An owner on routes tied to a particular state or conflict must additionally fold geopolitical targeting and navigation interference into its threat model.
The answer to "what are merchant-ship hacks for" is more prosaic than the flashy imagination suggests. Most of it is money, and a growing share is geopolitics — and knowing that is the first button to fasten in deciding where a limited budget goes first.
Key Sources
This article is a general analysis of publicly reported maritime cyber-incident data. Figures come from different compilers with differing definitions and populations, and maritime incidents are structurally under-reported; treat all percentages as directional rather than exact.
Owner-side maritime cybersecurity advisor covering IACS UR E26/E27 compliance, zone and conduit design, and OT/IT security architecture for commercial vessels — working across LR, ClassNK, DNV, ABS, and BV newbuilding projects.
🌐 More Articles ↗⚓ Join the ShipPaulJobs Community
Join →
Recent Iranian moves to blockade the strait can also be seen as a strategic act combining political and economic objectives. Cyber attacks are, at their core, essentially the same. Hacking is not merely a technical act — it is a means to achieve clear objectives: gaining political influence, securing economic benefit, disrupting supply chains, and strengthening negotiating leverage. Ultimately, controlling a physical strait and targeting digital maritime infrastructure differ only in method. The strategic direction and intent behind both are one and the same.
ReplyDelete