Maritime cyberattacks doubled in 2025, report finds

Cyberattacks targeting the global maritime industry surged 103 per cent in 2025, rising from 408 incidents in 2024 to 828 incidents last year, as threat actors moved beyond data breaches and began targeting the core operational systems of vessels, according to the 2026 Maritime Cyber Threat White Paper published in February, by CYTUR Inc.

The report, based on data collected through CYTUR-TI, the company’s maritime-specific threat intelligence platform, concludes that the rapid digitalisation of ships, particularly the integration of satellite communications with onboard Operational Technology (OT), has significantly widened the industry’s attack surface.

Ransomware, Distributed Denial of Service (DDoS) and malware infections accounted for the majority of recorded incidents.

However, more strikingly, attacks are no longer confined to corporate IT networks. Instead, they are increasingly penetrating vessel OT systems, including ballast water management, engine and propulsion controls, Integrated Automation Systems (IAS), ECDIS and AIS.

In practice, this means that cyber incidents now carry direct navigational and safety implications.

According to the white paper, compromised OT systems can manipulate chart data, distort positioning information or interfere with propulsion and stability controls, scenarios that move beyond financial loss and into physical maritime risk.

At the same time, the accelerated adoption of shipboard satellite connectivity has introduced new vulnerabilities. As vessels become more reliant on VSAT links for real-time monitoring, predictive maintenance and fleet management, communication infrastructure itself has become a primary target.

The report details how weaknesses in satellite communication management software can create a “single point of failure”, enabling attackers to disrupt communications across multiple vessels simultaneously.

A 2025 case study cited in the paper describes two waves of coordinated attacks that paralysed communications on more than 100 ships, severing ship-to-shore connectivity and halting operational reporting.

Meanwhile, supply chain exposure is emerging as a parallel risk.

Rather than attacking vessels directly, threat actors are increasingly targeting shipyards, equipment manufacturers and software providers.

By compromising a single vendor or update server, malicious code can be distributed across fleets at scale.

The white paper also emphasises ransomware incidents affecting maritime electronics manufacturers, warning that disrupting an original equipment manufacturer can suspend maintenance updates and safety-critical software patches across global fleets.

Furthermore, CYTUR-TI monitoring identified growing activity on dark web forums, including the sale of vessel access credentials, compromised crew accounts and leaked ship design schematics.

According to the report, this convergence of espionage, extortion and operational sabotage marks a new phase in maritime cyber risk.

Regionally, the threat landscape varies. GPS spoofing and jamming remain persistent in conflict-prone waters, where manipulated GNSS signals can distort navigation systems and deliberately divert vessels from intended routes. In high-volume commercial hubs, by contrast, ransomware and data theft continue to dominate.

Against this backdrop, regulatory pressure is intensifying. CYTUR defines 2026 as the “first year of practical verification”, as cybersecurity compliance under the International Association of Classification Societies’ Unified Requirements UR E26 and UR E27 shifts from design-stage documentation to operational enforcement.

The rules, which entered into force in July 2024, require cybersecurity safeguards to be embedded at the ship design and construction stage. Vessels contracted after that date are now approaching delivery, meaning compliance will be tested during sea trials and classification inspections rather than assessed solely on technical drawings.

In parallel, the International Maritime Organisation (IMO) requires cyber risk management to be incorporated into Safety Management Systems under Resolution MSC.428(98), supported by guidance MSC-FAL.1/Circ.3.

At European level, the revised NIS2 Directive extends cybersecurity obligations to essential transport entities, including shipping companies operating within the bloc.

For Cyprus, the implications are immediate. The island hosts more than 220 shipping-related companies operating from Limassol and manages thousands of vessels, according to the Shipping Deputy Ministry.

Cyprus also maintains one of the largest merchant fleets in the European Union and ranks among the leading global ship-management centres.

As fleets managed from the island become more digitally integrated, relying on satellite communications, remote diagnostics and cloud-based fleet systems, exposure to cyber risk rises in parallel.

Shipping Deputy Minister Marina Hadjimanolis has said that digital transformation remains central to strengthening the competitiveness of Cyprus shipping, noting earlier this year that the sector “enters 2026 in stronger shape” as administrative and technological upgrades continue.

However, as compliance shifts from paperwork to operational verification under IACS rules, cybersecurity resilience becomes a delivery condition rather than a strategic ambition.

“The incident data from 2024 and 2025 proves that maritime cybersecurity is no longer an ‘option’ but a matter directly linked to a vessel’s ‘right to operate’,” said Yong-hyun Cho, CEO of CYTUR.

Yong-hyun Cho concluded that “this white paper will serve as a practical guide to help stakeholders accurately understand the massive wave of regulations and the rapidly increasing types of attacks, enabling them to respond proactively.”