TL;DR — too long, didn’t read
NORMA Cyber's 2026 threat assessment names insider risk as the #1 maritime cyber threat — not external hackers, but rotating crews, contractors with admin access, and coordinated insiders
116 tankers wiped off the internet in a single hacktivist operation — VSAT partitions destroyed, all communications severed simultaneously via a compromised connectivity provider
AI voice cloning up 1600% targeting shipping executives — one attacker used deepfake video to pass hiring verification and infiltrate a company from the inside
Three things that matter this week
Threats inside the perimeter: insider risk is now #1
NORMA Cyber's upcoming Annual Threat Assessment 2026 — launching at their Oslo conference on 24 March — identifies insider risk as the most significant maritime cyber threat this year. Not just disgruntled employees: coordinated insiders, accidental exposure by rotating offshore crews, and contractors with unmonitored admin access.
The assessment also documents an 800% surge in attacks targeting edge devices — routers, VPN concentrators, and firewalls bridging shipboard OT and IT networks. Once compromised, these devices give attackers persistent access to both sides of the boundary simultaneously.
Why this matters: The industry has spent years building perimeter defences. NORMA's data says the biggest threat is already inside. For offshore operations with crew rotations every few weeks, each handover is a potential access control gap.
One thing to do: Audit who has admin access to your IT/OT boundary devices — routers, VPN concentrators, firewalls. If your edge device firmware inventory is older than 6 months, you're behind the threat tempo.
Hacktivists cut 116 tankers off the internet in one operation
Correction: An earlier version of this article incorrectly dated the Lab Dookhtegan VSAT attack as March 2026. The attack occurred on 18 March 2025. We regret the error.
In March 2025, hacktivist group Lab Dookhtegan compromised a maritime connectivity provider and wiped VSAT hard drive partitions across 116 tankers. All external communications — remote fleet management, GMDSS-linked satellite services, and software update channels — were severed simultaneously.
The attack represents a significant escalation. This wasn't ransomware demanding payment — it was deliberate destruction of communications infrastructure. The scale suggests advance reconnaissance of the provider's management plane.
Why this matters: Fleet operators sharing a single connectivity provider now face single-point-of-failure risk at the provider level. If your entire fleet depends on one VSAT vendor's management infrastructure, one breach can isolate every vessel at once.
One thing to do: Ask your connectivity provider: how is your management plane secured? Can a single compromised credential reach the entire fleet? If you don't get a clear answer, you need a backup communications path — LEO, Iridium, anything independent.
AI voice clones are targeting your executives — 1600% surge
A report published on 2 March documented a 1600% increase in AI-driven voice phishing (vishing) targeting shipping executives and shore-based crew management. In one confirmed case, a threat actor used AI-generated imagery and a stolen identity to pass video-based hiring verification, gain employment, and attempt server infiltration from inside the organisation.
The barrier to entry has collapsed. Commodity-grade deepfake tools can now clone a voice from a 30-second LinkedIn video. Maritime is especially vulnerable — multilingual crews, remote hiring, high turnover.
Why this matters: HR and identity verification for remote roles must now include live liveness checks and document authentication. A video call is no longer proof of identity.
One thing to do: Brief your DPAs and crewing officers: AI-enabled social engineering is an active threat, not a theoretical risk. If you're hiring remote crew or shore personnel, add a live challenge step to your verification — something a deepfake can't anticipate.
Coming up
NORMA Cyber Conference — 24 March, Oslo. Launch of Annual Threat Assessment 2026. The flagship Nordic maritime cyber event. Ogmios Maritime will be attending — if you're there, come say hello.
RSA Conference 2026 — 23–26 March, San Francisco. Transport and critical infrastructure tracks.
Full conference calendar → mc3.maritime-ogmios.tech
Number of the week
672 — daily GNSS interference events recorded in the Middle East Gulf. Over 655 vessels have been affected by spoofing since regional hostilities began. Primary hotspots: off the coasts of UAE, Iran, and Oman — overlapping with the world's highest-density tanker traffic through the Strait of Hormuz. Vessels relying solely on GNSS without cross-referencing radar are at elevated grounding and collision risk.
Resource of the week
Maritime Cyber Intelligence Brief — our new semi-monthly deep-dive report covering incidents, regulations, GNSS threats, and OT advisories. The first issues are free previews. If you want more depth than this weekly newsletter, this is it.
Free tabletop exercise: CMA CGM Ransomware — a ransomware attack cripples your shipping line's booking and cargo systems. Your fleet is at sea. 15 minutes, runs in your browser.