On 24 March, NORMA Cyber published its Annual Threat Assessment 2026 at the Spring Conference in Oslo — and we were there. The ATA is not a summary of news you have already read. It is 42 pages of structured intelligence, compiled from 350+ incidents, direct SOC data, and coordinated threat actor tracking across 170+ member organisations representing over 3,000 vessels. This issue is our analysis: the six findings that matter most, the numbers behind them, and what each one means for your organisation.

In December 2025, a hardware implant was discovered aboard a passenger vessel: a Raspberry Pi Zero with a cellular modem, physically connected to the vessel's office network. The device created a covert backchannel that operated entirely independently of the ship's authorised internet connectivity. It enabled persistent remote access, credential theft, and network reconnaissance.

The ATA's assessment is unambiguous about how it got there: crew were likely involved in deploying the implant.

What makes this case significant beyond the headline is the broader trend it represents. The ATA identifies "hardware-enabled attacks and insider threats" as one of the two defining OT themes of 2025 — alongside OT supply chain exposure. The Raspberry Pi case is not an isolated curiosity. It is evidence that threat actors have developed reliable methods for achieving persistent access that entirely bypass network-level controls. A $20 device from a consumer electronics retailer, placed by someone with physical access to the vessel, can render your firewall irrelevant.

The ATA frames this in terms that maritime security practitioners should take seriously: "Physical access to network infrastructure remains one of the most effective ways to bypass cybersecurity controls."

This is different from what we covered in Issue #4. There, the focus was on the incident itself and the immediate operational lesson. Here, the context is the ATA's framing of a structural shift: maritime is entering what the report calls "The Era of Agents" — where threat actors increasingly use automated workflows, AI-generated discovery commands, and hardware persistence to run campaigns that are faster, more complex, and harder to attribute. The Raspberry Pi case is one node in that picture.

Why this matters: Your vessel's cyber risk assessment almost certainly addresses software vulnerabilities and network access. It may not address physical access to the network stack — switch rooms, server spaces, network cabinets, and the people who have keys to them.

One thing to do: Verify that physical access to network infrastructure aboard your vessels is logged, controlled, and included in your next vessel inspection checklist.

Russia-linked threat actor APT28 — Fancy Bear — conducted large-scale exploitation of internet-connected IP cameras in 2025, targeting maritime infrastructure specifically: ports, border crossings, rail hubs, logistics nodes.

The method was systematic: automated tooling, default or weak credentials, and proxy infrastructure to obscure attribution. The goal was not espionage in the conventional sense of stealing documents. It was physical surveillance — establishing persistent visual access to the operational environment around maritime infrastructure.

The ATA frames this as a convergence of cyber access and physical intelligence. Peripheral digital systems — cameras, building management, access control — are being exploited not as a stepping stone to deeper network penetration but as intelligence collection endpoints in their own right.

This matters in a specific operational context. Russia's threat posture in the ATA is characterised as war-driven intelligence collection focused on NATO logistics, sanctions enforcement, and Arctic operations — with GRU pre-positioning in maritime OT assessed as preparation for future sabotage. Persistent visual access to port infrastructure is one component of that picture.

Why this matters: Cameras, building management systems, and access control panels connected to your network are not peripheral. They are surveillance assets for a threat actor with the patience to wait and watch. The convergence of cyber and physical intelligence means the attack surface extends to everything with an IP address.

One thing to do: Inventory every internet-connected device that sits outside your traditional IT perimeter — cameras, HVAC, access control — and confirm each has changed credentials and current firmware.

In September 2025, a leak on GitHub exposed the operational data of Charming Kitten, an Iranian state-linked threat actor. The leak revealed a systematic targeting campaign: approximately 700 organisations targeted, at least 30 confirmed compromises.

The breakdown by sector: 14 Energy (Oil & Gas), 8 Logistics and Supply Chain, 8 Maritime Shipping.

The entry points were Microsoft Exchange servers and VPN appliances. The targets within maritime organisations were not random. The ATA notes that Charming Kitten specifically mapped chartering departments, fleet management, crewing, technical operations, and port activities. This is intelligence collection oriented around understanding cargo movements, vessel schedules, and operational dependencies — exactly the kind of information that has value for sanctions evasion, military planning, and supply chain disruption.

The ATA's broader assessment of cyber espionage places it at HIGH threat level — the highest category. The Iran-linked campaign is one of three active state-level espionage programmes documented in the report; Russia and China are the others.

Why this matters: Eight maritime shipping companies in a dataset of 700 targets sounds like a small number. It is not. It means maritime is a deliberate and recurring category in Iranian state intelligence operations — not a coincidental hit. Chartering departments and fleet management systems hold strategic intelligence that threat actors are actively collecting.

One thing to do: If your organisation uses Microsoft Exchange on-premises or legacy VPN appliances, treat them as priority patching targets. These are documented entry points for state-level actors.

The ATA's assessment of GNSS interference in the Baltic has moved from a chronic background problem to a formally documented hybrid warfare campaign.

The numbers from Sweden are the clearest signal: the Swedish Transport Agency recorded 55 GNSS disruption incidents in 2023. In 2025: 733. A thirteenfold increase in two years.

The interference belt now runs from the Gulf of Finland through to the Gulf of Gdańsk, with Kaliningrad as the central source. The ATA documents a technical evolution: attacks have shifted from single-constellation jamming to hybrid patterns that simultaneously jam multiple systems — GPS L1 alongside GLONASS, Galileo, and BeiDou. This multi-constellation targeting makes backup switching — the standard response to single-system jamming — ineffective.

The ATA explicitly names the Port of Gdańsk as an affected area.

The operational consequences are documented in real groundings. The MSC ANTONIA grounded off Jeddah on 10 May 2025 — likely GPS/AIS spoofing. The MEGHNA PRINCESS grounded near Ust-Luga in the Gulf of Finland on 29 December 2024, with GPS jamming confirmed by GPSJam data.

Why this matters: GNSS interference in the Baltic is no longer a tactical nuisance. It is a documented component of Russia's hybrid warfare posture. The progression from 55 to 733 incidents is not noise — it is a trend with a clear trajectory. For vessels operating in the eastern Baltic, this is a year-round operational risk, not a weather event.

One thing to do: Confirm that your navigators have current, documented procedures for GNSS-degraded operations — specifically for multi-constellation failure where switching to backup systems does not resolve the problem.

The NORMA Cyber ATA 2026 is the best structured maritime cyber intelligence document currently in public circulation. We say that without qualification. But two things are worth naming.

The South Baltic intelligence gap. The ATA draws heavily on Norwegian and Scandinavian incident data — which is where NORMA Cyber's member base is strongest. The South Baltic, Baltic states, and Polish maritime corridor are underrepresented relative to their strategic exposure. Port of Gdańsk is named in the GNSS section, which is notable. The operational picture from Baltic maritime is not proportionally reflected in the threat data. This is not a criticism of NORMA Cyber. It is a gap that creates risk for operators whose primary exposure is in waters the report covers less thoroughly.

Next observation: the ATA continues to use the IT/OT binary as its primary framing for shipboard systems. Maritime Technology — the integrated, increasingly autonomous, layer that spans navigation, propulsion, communications, and cargo management — does not fit cleanly into either category. The threat surface for a modern vessel is not IT plus OT. It is MT: Maritime Technology as a distinct category with its own risk profile, supply chain, and regulatory gaps. The ATA is consistent with current industry language on this. The language is starting to fall behind the threat.

The NORMA Cyber Annual Threat Assessment 2026 is publicly available. At 42 pages it is the most data-dense maritime cyber document of the year. Download it at normacyber.no — and read the OT and espionage sections in full.

If you work in port security, fleet management, or maritime IT/MT/OT: this is required reading for 2026.

Test your team before the threat does.

The findings in the ATA describe what is happening across the sector. The question for your organisation is: what would your team do if it happened to you?