17 LMM V I S I O N ISSUE 20 | Q1 2025 ARTICLE In March, the maritime industry became the focus of sophisticated cyber attack groups. Two high-profile incidents have highlighted the growing risk and the urgent need for heightened cybersecurity awareness across our fleet. Lab Dookhtegan Attack on Iranian Oil Tankers The Iranian anti-government hacktivist group Lab Dookhtegan executed a large-scale cyber attack, disrupting communication systems on more than 100 oil tankers operated by Iranian government-affiliated companies. This attack disabled ship-to-shore and internal crew communications, revealing critical weaknesses in maritime communication systems. Tactics used ●● VSAT exploitation: The attackers leveraged weaknesses in VSAT satellite communication systems. ●● Credential Theft: Attackers gained elevated access credentials, enabling them to execute malicious commands and install malware across multiple vessels simultaneously. ●● Coordinated Execution: The synchronised nature of the attack suggests careful planning and advanced technical expertise, possibly involving prior reconnaissance and tailored exploits. SideWinder APT: A Strategic Shift Towards the Maritime Sector Historically focused on government and military targets in South Asia, the SideWinder group is now targeting maritime organizations —especially shipping companies and port authorities. Recent Incidents ●● A major European shipping company was targeted with phishing emails containing urgent updates on port access restrictions. Malicious attachments allowed attackers to establish persistent access within the company’s network. ●● A South Asian port authority fell victim to an attack where a phishing email disguised as updated maritime safety protocols led to a prolonged system compromise, exposing sensitive operational data. Attack Methods ●● Spoofed Emails: Messages mimic maritime authorities regulatory bodies, or industry partners to trick recipients into opening malicious attachments. ●● Malware in Documents: Attachments exploit known Microsoft Office vulnerabilities. ●● Lateral Movement: Once inside, attackers extract credentials and move through the ship’s network to gain access to critical ship’s systems. Exercise Results: Lessons Learned We recently conducted a phishing exercise across the fleet similar to the attack technique used by SideWinder. The simulated phishing email appeared to be from a port authority, informing the vessel of a random Port State Control inspection and requesting completion of a Pre-Inspection Report. The attached document, when opened, prompted users to click “Enable Content,” a common attack technique used by cybercriminals. While several Masters recognised the phishing attempt and reported it, still a small number of users failed to detect the deception. Some users interacted with the attachment and submitted vessel information. In a real attack, this could have resulted in unauthorised access to ship systems. Strengthening our defences To help our fleet protect from emerging threats and reinforce cybersecurity awareness, key actions include: ●● Training Continues: Ongoing phishing awareness sessions will help crew members spot threats early. ●● Individual Follow-Up: Those who failed the simulation will be contacted for further guidance. ●● Immediate Reporting: Reporting suspicious activity is critical to stopping real threats in time. Final Thoughts Cyber attackers are evolving—and shipping companies and port authorities are now in their sights. This shift suggests a growing interest in intelligence gathering on maritime operations. Through awareness, vigilance, and strong security practices, we can defend our fleet and operations from disruption. Stay alert. Report concerns. Protect the fleet. Cybersecurity Alert: Maritime Industry Under Targeted Cyber Attacks Vassiliki Spilioti Group Cyber Security Manager
RkJQdWJsaXNoZXIy MTUxOTY2