Maritime industry hit by more AI-assisted cyberattacks, ‘unprecedented’ attack speed

The maritime industry is weathering a surge in AI-assisted cyberattacks and “unprecedented” attack speed in which an adversary moves through a targeted network, according to a global maritime cyber threat report recently released by Marlink’s Security Operations Center.

“The average breakout time — the period it takes for an adversary to move laterally within a network — has been significantly reduced, now taking less than an hour in most incidents, with some cases occurring in under a minute,” the report states. The cybercriminal ecosystem also has become more organized as they “increasingly turned to access broker services to gain entry into corporate environments.”

Over the second half of 2024, the SOC monitored 1,998 vessels and processed 30 billion security events, 700,000 alerts and 53 major incidents.

“A significant increase in email-based threat activity was observed,” the reports notes. “The most prevalent categories were spam (37%) and phishing (26%), indicating a continued reliance by threat actors on volume-based and socially engineered attacks.”

Most of the maritime threats observed came from hackers using legitimate credentials, such as stolen, reused or default passwords, and from an unintentionally expanded attack surface that resulted from greater reliance on tools to better connect shipping teams including VPNs and remote desktops.

Vessels also came under threat from poor connectivity while out at sea, meaning that they had limited ability to regularly update systems such as firewalls and software — and hackers found the cracks. “In many cases, the onboard antivirus or firewall detects strange behavior, like someone running suspicious scripts or trying to communicate secretly with a server on the internet,” the report said.

While not as common, some vessels also have been hit by denial-of-service attacks that slow down or overload systems; systems can also be secretly used for things such as cryptocurrency mining. “These don’t usually target navigation or safety directly, but they can cause slowdowns, impact satellite bandwidth, or leave the vessel vulnerable to deeper threats,” the report added.

Overall, Marlink observed “a clear progressive escalation in the severity and complexity of the attacks as the year came to a close.”

The main motivation of cyberattacks against the maritime industry in the latter half of 2024 was financial gain, followed by corporate espionage, hacktivism and intellectual property theft, Marlink said.

The report singled out AI-powered cyberattacks, increased targeting of IoT and OT systems (which “could have severe real-world consequences, including operational shutdowns and safety risks”), expansion of ransomware-as-a-service, exploitation of 5G vulnerabilities, deepfakes and disinformation campaigns, and a focus on supply chain attacks as the top maritime threats to watch this year.

“Off-the-shelf large language models (LLMs) have become a critical tool for adversaries, allowing them to accelerate malware development, automate phishing campaigns, and refine social engineering tactics,” the report warned. “This has led to a surge in AI-assisted cyberattacks. Some actors have leveraged genAI to assist in developing malicious scripts and exploits designed to specifically target CVEs.”

In the second half of last year, “an overwhelming number of observed attacks did not rely on malware, marking a shift towards hands on-keyboard techniques.”

“Cybercriminals have increasingly mimicked legitimate user behavior to evade detection, engaging in interactive intrusions that blend seamlessly with normal network activity,” Marlink reported. “Furthermore, attackers have continued to exploit publicly available vulnerability research, targeting weaknesses in cloud environments and peripheral network devices, including OT systems. Exploiting identity-based vulnerabilities has become a primary attack vector, with adversaries leveraging compromised credentials and trusted relationships to move deeper into systems.”