TL;DR — too long, didn’t read
Ransomware group "Thegentlemen" has listed TKMS and Atlas Elektronik on its leak site. The claim is unconfirmed, carries a duplicate-entry flag, and TKMS has not responded publicly, but naval and defense shipbuilding is now appearing in ransomware campaigns.
CVE-2026-56770 is a parsing flaw in the open-source libais library: a single crafted AIS sentence broadcast over VHF, with no authentication required, can crash vessel systems that consume AIS data.
DigitalLead and BifrostConnect have launched SeaSecure, a hardware-based remote-access gate that puts ship owners and captains in control of who can reach their vessel systems during maintenance and servicing.
From the shipyard to the bridge to the maintenance laptop, this week's signals cover the full maritime attack surface.
Three things that matter this week
TKMS and Atlas Elektronik named on a ransomware leak site
On approximately 25 June, the ransomware group known as "Thegentlemen" listed "Thyssenkrupp Marine Systems (TKMS) GmbH / Atlas Elektronik" on its public data-leak site. The listing was first tracked on 28 June 2026 by the ransomware-monitoring platforms ransomware.live and RansomLook.
This is a claim, not a confirmed breach. TKMS has not publicly confirmed any incident. ransomware.live has flagged the entry as a possible duplicate, which means the listing may relate to an earlier entry or may be erroneous. Nothing in the verified record confirms that data was exfiltrated or that any TKMS system was compromised.
What the listing does confirm is that someone chose to name a major German naval shipbuilder, the company behind submarines and surface combatants for multiple navies, alongside its naval electronics and combat-systems subsidiary Atlas Elektronik, on a ransomware leak site. Whether the claim proves accurate or not, that decision reflects where ransomware operators see value in the defense-maritime supply chain.
For everyone in that supply chain, the relevant question is not whether TKMS was actually breached. It is whether you are exposed to a named entity, and what your plan looks like for the day you or a close partner appear on a similar list.
Why this matters for maritime: defense and naval shipbuilding has entered the ransomware threatscape. A leak-site listing, even an unconfirmed one with a duplicate-entry flag, is early warning. The supply chain running from shipyard to equipment vendor to systems integrator is long, and an incident anywhere in it can affect others downstream.
What to do: if you sit anywhere in the naval or shipyard supply chain, treat a leak-site listing as early warning, not proof, but not noise either. Confirm your own exposure to the named entity, and make sure you have an incident-communications plan for the day you, or a close partner, get named on a leak site. Absence of public confirmation is not absence of risk.
Test your response: Run a maritime ransomware tabletop →
CVE-2026-56770,
one crafted AIS sentence can crash vessel systems
CVE-2026-56770 is a vulnerability in libais, the widely used open-source library that parses AIS messages. It affects all versions through 0.15.
The flaw sits in the function VdmStream::AddLine. When the library processes AIS sentences that have empty or out-of-range sequential message IDs, it uses an unchecked sentinel value as a vector index. The result is out-of-bounds memory access and potential memory corruption. A remote attacker can trigger it by sending a single crafted AIVDM sentence, either over VHF marine radio or via an IP-based AIS data feed. NVD has logged the CVE but lists it as "Not Scheduled" for enrichment, so no CVSS score has been assigned yet.
The VHF vector is what makes this significant. AIS operates on an open, unauthenticated radio channel. Anyone with a transmitter can put an AIS sentence onto that channel. There is no mechanism to filter a malformed sentence before it reaches the parsing library. Firewalls help with IP-based feeds, but they do not touch the RF path.
AIS data feeds bridge a lot of screens: chart plotters, ECDIS displays, traffic-management software, fleet-monitoring dashboards. If the library parsing that data crashes, the systems depending on it go dark. Most operators have no visibility into which library version their equipment vendor used during development.
Why this matters for maritime: the navigation stack runs on software that almost no operator audits. A bug in a widely used parsing library, exploitable by anyone who can transmit over VHF, means the attack surface for disrupting bridge systems is lower than most people assume.
What to do: inventory which onboard and shoreside systems ingest AIS and what library or software version underlies them. Ask your equipment vendors specifically whether they use libais and whether a patch path exists. Treat AIS input as untrusted data, because the VHF vector means you cannot simply firewall the problem away.
SeaSecure gives ship owners a hardware lock on remote access
DigitalLead and BifrostConnect have launched the SeaSecure project, a hardware-based solution that gives ship owners and captains authority over who can access vessel systems during remote operations.
The problem they are targeting is familiar to anyone who manages shipboard IT or OT: modern vessels depend on remotely connected equipment for updates, troubleshooting, and servicing. Doing it remotely saves time and reduces the cost of sending technicians to sea. But every remote session opened by a supplier or service technician is also a path into the vessel's systems, one that the owner or captain typically cannot see or control in real time.
SeaSecure puts hardware between the remote user and the vessel, so that access requires owner approval rather than just a vendor's credentials. The partners are developing the solution to let suppliers and technicians connect, but under the operator's direct control.
This sits squarely in the supply-chain access problem that maritime cyber practitioners have raised for years: the maintenance laptop that connects to the engine management system, the satcom provider who needs to update firmware, the integrator troubleshooting a sensor fault. Each of those sessions is a potential entry point, and most of them happen without any visibility from the bridge.
Why this matters for maritime: remote maintenance is now standard practice, not an exception, and it is a real cost saver. But every remote session is an attack path. Controlling, logging, and approving third-party access is one of the most practical steps an operator can take, and one of the most under-managed.
What to do: map every remote-access path into your vessel systems: equipment vendors, system integrators, satcom providers, flag-state surveyors. Require owner or operator approval and a log entry for each session. SeaSecure is one hardware-gated model; others exist. The principle matters more than the product. "We need remote support" must not quietly mean "anyone with the right credentials can connect."
In case you missed it
Another shipping company on a ransomware leak site: the Nova ransomware group listed FTL (FTL International N.V. / Fast Transit Line) on its leak site around 23 June 2026. FTL is a shipping, consolidation, and forwarding company with a presence in major Northern European ports and an office in Colombo, Sri Lanka. The listing claims the stolen data includes sales data, invoices, and customer names and phone numbers. This is a claim on a leak site, not a confirmed breach.
USCG cyber compliance, in plain English: at the Inland Marine Expo in Nashville, a session titled "Clarity Over Complexity: A Practical Guide to U.S. Coast Guard Cybersecurity Compliance," moderated by Robert Blackman of KVH Industries, heard Lt. William Quigley of the USCG Office of Maritime Cybersecurity Policy note that the published cyber rules apply to any vessel that has a security plan, with a waiver path available for small companies. A practical companion to last week's coverage of the USCG implementation guidance.
Coming up
Monaco Energy Boat Challenge — Yacht Club de Monaco — Monaco, 8–11 July 2026. Andrzej Gab speaks on the cyber panel "Cyberattacks in Yachting: Navigating in GNSS dark zones" on 9 July.
DEF CON Maritime Village — 6–9 August 2026.
Number of the week
6700 — The approximate number of vessels worldwide affected by GPS jamming in Q4 2025, according to Windward, reported via Safety4Sea.
That was down from roughly 11,600 vessels in Q3 2025. A decline on paper, but the figures point to a sustained level of disruption across major shipping routes rather than any improvement in the underlying problem. The Middle East Gulf remained the epicentre, accounting for about 57% of all reported jamming.
At that scale and concentration, jamming is a standing operating condition for vessels working the Gulf, not an occasional incident.
Test your response: Play the Hormuz GNSS scenario →
Resource of the week
Windward — maritime GPS jamming quarterly analysis (via Safety4Sea, June 2026)
The full quarterly picture behind this week's number: vessel-impact counts across Q3 and Q4 2025, the regional breakdown, and the Gulf concentration. Useful for voyage-planning and for regional risk conversations with non-technical stakeholders.
Want more depth?
Maritime Cyber Intelligence Brief covers what the weekly cannot: full incident timelines, regulatory analysis, GNSS threat data, and OT advisory breakdowns. The latest issue is a free preview.
Read of the week
"Sandworm" by Andy Greenberg
The definitive account of the military hacking unit behind NotPetya, the destructive malware that cost Maersk an estimated $300 million and remains the canonical case of malware crossing from corporate IT into global logistics and shipping. It connects this week's ransomware and destructive-malware theme to the maritime sector's most expensive cyber lesson.
