TL;DR — too long, didn’t read
CISA CI Fortify asks critical infrastructure, ports and transportation included, to plan for something most have never tested: running for weeks with the internet and vendor links cut while OT is under attack. Our lead.
Qilin keeps working through the logistics and freight-forwarding sector, the layer that sits in the data flow between shippers, carriers, and ports.
FBI: cyber-enabled cargo theft hit 725 million dollars in 2025, up 60 percent, mostly phishing and account takeover aimed at the systems that move freight.
Three things that matter this week
CISA CI Fortify — can your port operate while cut off?
On 5 May 2026, CISA announced CI Fortify, an initiative directing critical infrastructure operators to prepare for a scenario most incident response plans skip entirely: a geopolitical conflict where an attacker degrades your OT networks and severs your connections to the internet, telecoms, and upstream vendors at the same time. The transportation sector, ports and terminals included, is named directly.
The guidance is built around two capabilities CISA wants operators to develop now:
Isolation — the ability to proactively disconnect from third-party dependencies and keep running without reliable telecoms, internet, service providers, or upstream links. For a port, that means asking an uncomfortable question: if the connection to your TOS vendor, your remote monitoring provider, and your cloud services all dropped at once, what still works?
Recovery — documented systems, backed-up critical files, and a practiced ability to replace systems or fall back to manual operation when isolation is not enough.
CISA says it will run targeted assessments of how prepared selected operators are, prioritising defense critical infrastructure. Ports that handle military sealift, fuel, or strategic cargo should assume they are in scope.
Why this matters for maritime: ports have spent a decade adding remote connectivity. Vendor maintenance tunnels, cloud-based terminal operating systems, satellite links to vessels, remote OT monitoring. Every one of those is a dependency. CI Fortify is the first time a national authority has said plainly that the dependency itself is the risk, and that you need to be able to operate without it.
What to do: Map your external dependencies, OT vendor tunnels, cloud TOS, remote monitoring, satellite links, and ask which port operations stop if each is severed. Identify what can fall back to manual and test it under a clock, not on paper. Document the systems your operation cannot run without, and confirm you can rebuild or replace them offline. This is exactly the scenario a tabletop exercise is built to expose.
Qilin keeps working through the freight-forwarding sector
A pattern, documented across several months.
Qilin (also tracked as Agenda) is a double-extortion ransomware operation: encrypt the systems, steal the data, demand payment for both. Threat intelligence firms including SOCRadar and Resecurity have profiled the group's consistent focus on wholesale, logistics, and supply-chain targets, where time-sensitive operations make victims more likely to pay quickly.
The recent run of claimed victims reads like a freight directory. Traffic Tech, an Italian logistics firm (claimed 1 March 2026). Avitrans, a Spanish logistics company (claimed 21 April 2026). BTX Global Logistics in the US. And in May, an entity listed on Qilin's leak site as "Shipping Services," reportedly an Argentine operator, with the usual encryption-plus-exfiltration pattern.
A caution on these: the individual victim claims come from ransomware leak-site trackers, not from company confirmations. None of the named firms has issued a public statement at the time of writing. The pattern, repeated targeting of logistics and freight intermediaries, is well documented. Any single name on the list is a claim until the company confirms it.
That distinction matters. Whether or not one specific Argentine forwarder was hit, the freight-forwarding layer is being worked systematically, and most of these firms sit directly in the data flow between shippers, carriers, ports, and customs. A forwarder's compromised systems carry your booking data, your customs filings, your cargo manifests.
What to do: If you are a port, carrier, or shipper, your freight forwarders and logistics intermediaries are part of your attack surface even though they are not your systems. Ask them what they have in place. Treat the booking and documentation chain as data worth protecting, and segment the systems that exchange it. Double extortion means a forwarder breach can leak your commercial data even if your own network is untouched.
FBI — cyber-enabled cargo theft hit 725 million dollars
On 30 April 2026, the FBI's Internet Crime Complaint Center (IC3) issued a public service announcement warning that cyber-enabled cargo theft surged in 2025, with reported losses reaching 725 million dollars, a roughly 60 percent rise year on year. Total cargo theft losses across North America reached 6.6 billion dollars.
The methods IC3 describes are not technically exotic, which is part of why they work: phishing, spoofed URLs, compromised freight-broker and carrier accounts, and fraudulent postings on load boards. Attackers impersonate legitimate brokers or carriers, take control of booking systems, and redirect physical shipments. Confirmed incidents rose 18 percent in 2025, but the average value per theft jumped 36 percent to about 274 000 dollars, which tells you the targeting is getting more selective. One named campaign, tracked as Diesel Vortex, ran phishing against freight and logistics operators across the US and Europe using 52 domains, active since September 2025.
The maritime and port relevance is direct. Containers do not move without the broker, carrier, and forwarder systems that schedule and document them. When an attacker takes over a carrier account or impersonates a freight agent, the fraud reaches into the same systems that ports and terminals coordinate with daily. This is the supply-chain version of business email compromise, and the payload is a physical container leaving the gate under false instructions.
What to do: Verify identity out of band before acting on changed pickup, routing, or payment instructions, especially anything urgent. Lock down freight-broker and carrier account access with MFA and monitor for account takeover. Treat load-board and booking-platform credentials as high-value targets, because to a cargo thief, they are.
In case you missed it
GNSS jamming, Baltic Sea. The NATO Shipping Centre continues to collect reports from merchant mariners of GNSS disturbances in the Baltic, concentrated around the Gulf of Finland and Kaliningrad. The scale is no longer marginal: more than 10 000 vessels were officially reported affected in Q2 2025, an eightfold jump on the previous quarter. NSC is asking crews to report incidents. If you operate in the region, position-fixing degradation is a standing condition, not an anomaly.
MARAD Advisory 2026-007. A refreshed US Maritime Administration advisory (supersedes 2025-013, valid to 21 October 2026) on cyber and physical risks from Chinese-linked port equipment and software, including LOGINK, Nuctech scanners, and ship-to-shore cranes. It points to USCG Maritime Security Directive 105-5 for crane cyber requirements. The recommendation is unglamorous: segment crane management networks, monitor all traffic to and from the crane, and require vendor updates via physical site visits where possible.
ICS Patch Tuesday, May. CISA, Siemens, and Schneider published a fresh round of ICS advisories, including Fuji Electric and Johnson Controls products dated 21 May. None is strictly maritime-specific this round, but Johnson Controls and Schneider gear is common in port building and power systems. Worth a scan.
Coming up
The maritime calendar gets busy in June. If you will be at any of these, reach out.
Posidonia 2026 — Athens, 1-5 June. The big one. Geopolitics and maritime security are dominant on this year's conference agenda.
NMIOTC 17th Annual Conference — Souda Bay, Crete, 3-4 June. NATO's maritime interdiction and security forum.
MARSEC COE International Maritime Security Conference — Istanbul, 9-10 June.
Maritime Cyber Guild Meetup Q2 — Prague, 15 June. Smaller, but the maritime cyber community in one room.
PT XXI, Polish Naval Academy — Gdynia, 1-3 June. I am presenting on maritime tabletop exercises.
And on these pages: once CISA's CI Fortify assessments and sector guidance develop, we will cover what a port-specific isolation and recovery plan actually looks like.
Number of the week
725 million dollars
Reported losses from cyber-enabled cargo theft in 2025, per the FBI's IC3, up about 60 percent on the year. Mostly phishing, account takeover, and impersonation, aimed at the systems that move freight.
Resource of the week
CISA CI Fortify guidance (cisa.gov, May 2026)
The primary source for Story 1. CISA's isolation-and-recovery framing is the clearest official statement yet that external dependencies are themselves the risk. If you run port or terminal OT, read it before your next budget cycle, because "operate while cut off" is going to become an audit question.
Available at cisa.gov (search "CI Fortify").
Read of the week
"Lights Out" by Ted Koppel — a journalist's account of what happens when critical infrastructure loses power and connectivity at scale, and how unprepared most operators are to run without the systems they depend on. It predates CI Fortify by years, but it is the same question CISA is now asking formally: can you function when the grid and the network are gone? Relevant reading for anyone responsible for port continuity.
"Sandworm" by Andy Greenberg — the definitive account of state-sponsored attacks on critical infrastructure, ending with NotPetya. That 2017 attack froze Maersk's global operations, knocked out terminals, and cost the company around 300 million dollars. If you want to understand what CI Fortify is actually preparing you for, this is the case study. Maritime's most expensive cyber lesson is in this book.
