On 4 May, missiles and drones struck oil infrastructure near the Port of Fujairah, UAE. Within hours, the Iranian-aligned hacktivist persona "Handala" posted a claim: it had conducted an advanced cyber operation against the port, exfiltrating over 430,000 documents — pipeline maps, tanker movement schedules, berth allocations, financial records — and delivered targeting data to IRGC missile units before the strike.

If true, this would be the first documented case of a hacktivist group serving as a real-time intelligence node in a kinetic military operation against port infrastructure.

Here is what we can verify. Handala is not a freelance activist. Multiple Western intelligence assessments, including a March 2026 FBI seizure of its web infrastructure, identify it as a front for Void Manticore (also known as Red Sandstorm), a threat actor run by Iran's Ministry of Intelligence and Security. Its track record is real: over 200,000 devices wiped at US medical manufacturer Stryker in March, WhatsApp threats to US Marines in Bahrain in April, and a string of destructive wiper attacks against Israeli and Gulf targets throughout 2024–2025.

Here is what we cannot verify. No independent technical evidence — forensic telemetry, confirmed tasking orders, or official attribution — has been published proving that Handala's exfiltrated data materially shaped the targeting of the 4 May strikes. OSINT review of leaked samples shows mostly routine customs and freight-forwarding paperwork: invoices, packing lists, commodity descriptions. Not the pipeline schematics and real-time operational data that the narrative implies. Neither the UAE government, the Port of Fujairah, nor major Western threat intelligence vendors have publicly confirmed the breach.

The honest assessment: credible actor, credible capability, unproven claim.

But here is what matters regardless of whether Handala overstated its role. The question is now on the table for every port and terminal operator in a contested region: if someone gets into your TOS, your berth allocation system, your cargo manifest database — could that data help them time a physical attack? Could pipeline schematics guide a strike planner? Could tanker schedules tell an adversary when your terminal is most vulnerable?

For Gulf and European ports, the answer is obviously yes. And that means business planning systems — TOS, ERP, EDI gateways, customs interfaces — need to be treated as potential intelligence sources for state-aligned adversaries, not just as ransomware monetisation targets.

Why this matters: The threat model for ports has expanded. Logistics data is no longer just a business asset. In contested theaters, it can become targeting intelligence. This does not require Handala's specific claim to be true. It only requires the capability to exist — and it does.

One thing to do: Map which of your systems store data with potential kinetic value: vessel schedules, berth allocations, pipeline layouts, tank-farm status. Ask yourself whether those systems are segmented from internet-facing networks, and whether your remote-access list has been audited in the past 90 days. If not, start there.

On 7 May, Yang Ming Marine Transport Corporation's German division appeared on LockBit5's leak site. Yang Ming is one of the world's largest container shipping lines — a Taiwanese carrier operating across Asia, Europe, and the Americas. No detailed technical disclosure has followed; no public statement from Yang Ming. The incident appears to target business IT rather than vessel OT systems, but that distinction matters less than it used to.

The likely exposure: shipping contracts, freight booking records, customer data, internal billing. The likely consequence: a wave of convincing phishing emails and fake invoices targeting Yang Ming's European customers and partners, built from real shipment data.

Yang Ming is not alone this week. The INC Ransom group has launched a focused campaign against US-based maritime transportation entities, exploiting unpatched Citrix remote-access infrastructure to gain initial footholds, then moving laterally using legitimate system administration tools — a technique known as "Living off the Land" that makes the attacker's activity nearly indistinguishable from routine IT maintenance. For port and terminal SOCs that already struggle to distinguish authorised OEM remote access from unauthorised intrusion, this is a difficult detection problem.

The pattern is clear. Maritime logistics is now a big-game-hunting target. The time-sensitivity of cargo operations, the cost of port detention, the complexity of multi-party supply chains — all of these make shipping companies attractive victims for double-extortion ransomware. The $10 million average damage figure from Cydome's 2026 report is not an outlier. It is the new baseline.

Why this matters: If you are a Yang Ming customer or partner in Europe, watch your inbox. If you are any maritime operator relying on Citrix or similar remote-access tools, verify your patch status today — not next quarter.

One thing to do: Check whether your organisation has active Citrix or VPN accounts that belong to former employees, expired contractors, or inherited acquisitions. INC Ransom and similar groups are buying these credentials on darknet markets for minimal cost. The account that gets you breached is probably one nobody remembers exists.

The US Coast Guard published Work Instruction 001 during the first week of May: a standardised "Cybersecurity Training Verification Job Aid" for MTSA facility inspectors. This is not a new regulation. It is something potentially more consequential — it is the tool that turns the regulation into a repeatable inspection.

Inspectors are now directed to confirm that all personnel with access to IT or OT systems — including part-time contractors and temporary staff — have completed a compliant cybersecurity training programme. The training must cover threat recognition, incident reporting procedures, and OT-specific risks. Non-compliance results in a CG-835 deficiency notice.

The training verification requirement became mandatory on 12 January 2026. The next milestone: designating a Cybersecurity Officer and submitting a comprehensive Cybersecurity Plan for approval by 16 July 2027. That sounds like a long runway, but the assessment process is complex and the USCG has made clear it expects preparation to be underway now.

In parallel, ABS Consulting announced the acquisition of RMC Global on 7 May — an industrial cybersecurity firm specialising in critical infrastructure resilience. The consolidation signal is unmistakable: maritime cybersecurity is moving from boutique consulting into full-lifecycle managed services, driven by the regulatory pressure that documents like Work Instruction 001 create.

Why this matters: A standardised job aid means consistent enforcement. Port facilities in the US should expect inspections to follow a predictable pattern — and to produce comparable findings across districts. The era of soft guidance is ending.

One thing to do: Obtain a copy of Work Instruction 001 and walk through it as if you were the inspector. Check your training records, your access-control documentation, and your OT personnel coverage. If you find gaps, you have time to close them — but less than you think.

Full conference calendar: mc3.maritime-ogmios.tech

Sandworm by Andy Greenberg

The book that explains how Russian cyber operations crossed into the physical world. Covers the NotPetya attack that cost Maersk $300 million and shut down 17 container terminals in one afternoon. If Fujairah has you wondering whether a cyber operation can enable a missile strike, this is where that story started.

→ Get it on Amazon

More maritime cybersecurity reading at books.maritime-ogmios.tech