Maritime Industry Cybersecurity Threats in 2025: Advanced Persistent Threats (APTs), Hacktivism and Vulnerabilities

Abstract

Background: The maritime industry, vital for global trade, faces escalating cyber threats in 2025. Critical port infrastructures are increasingly vulnerable due to rapid digitalization and the integration of IT and operational technology (OT) systems. Methods: Using 112 incidents from the Maritime Cyber Attack Database (MCAD, 2020–2025), we developed a novel quantitative risk assessment model based on a Threat-Vulnerability-Impact (T-V-I) framework, calibrated with MITRE ATT&CK techniques and validated against historical incidents. Results: Our analysis reveals a 150% rise in incidents, with OT compromise identified as the paramount threat (98/100 risk score). Ports in Poland and Taiwan face the highest immediate risk (95/100), while the Panama Canal is assessed as the most probable next target (90/100). State-sponsored actors from Russia, China, and Iran are responsible for most high-impact attacks. Conclusions: This research provides a validated, data-driven framework for prioritizing defensive resources. Our findings underscore the urgent need for engineering-grade solutions, including network segmentation, zero-trust architectures, and proactive threat intelligence integration to enhance maritime cyber resilience against evolving threats.

1. Introduction

The maritime industry in 2025 faces an intensifying and complex array of cyber threats, with Advanced Persistent Threats (APTs), hacktivism and multifaceted vulnerabilities standing at the forefront of concern. These threats are aggravated by the increased digitalization and integration of IT and OT systems across vessels, ports, and critical infrastructure, exposing both technical systems and human factors to exploitation.

1.1. Advanced Persistent Threats (APTs)

APTs represent the most sophisticated cyber threats in the current maritime landscape. Characterized by their stealth, persistence, and highly targeted nature, APTs are often orchestrated by state-sponsored entities and advanced criminal groups intent on infiltrating critical systems, extracting sensitive data, and maintaining long-term unauthorized access to maritime infrastructure. The rise in digitalization escalates the attack surface significantly, making vessels and port systems more susceptible to tailored attacks that may target navigation, propulsion, dynamic positioning, or cargo management systems [1,2,3]. Contemporary research emphasizes that APT actors employ multifaceted approaches including exploiting unpatched software, leveraging zero-day vulnerabilities, and using social engineering tactics making detection and eradication particularly challenging [4,5]. The introduction of artificial intelligence and machine learning as both an attack vector and a defense mechanism adds an additional layer of complexity.

AI-driven threat detection models, such as those incorporating deep learning and predictive analytics, have emerged as valuable tools for identifying APT-related anomalies, reducing alert fatigue, and responding to rapidly evolving tactics [6,7,8]. However, adversarial attacks targeting AI models themselves introduce new vulnerabilities that must be managed. Domain-specific threats to shipboard microgrids, satellite communications, and interconnected navigation systems have underscored the need for redundancy, layered security controls, and real-time situational awareness for timely defense against persistent campaigns, lateral movements, and disruption attempts [9,10,11].

1.2. Hacktivism and Motivated Threat Actors

While APTs usually have geopolitical or financial motivations, hacktivism in maritime cyber domains is driven by ideological objectives. Hacktivist campaigns may seek to disrupt commercial shipping, port operations, or supply chains for the purpose of protest, political messaging, or economic sabotage [12]. These actors frequently exploit known system vulnerabilities, lack credential management, poor network segmentation, and unpatched systems, gaining access to vital components using readily available tools. Such attacks can take the form of distributed denial-of-service (DDoS), website defacement, unauthorized data releases, or manipulation of critical operational data, potentially leading to logistical bottlenecks, maritime accidents, and environmental hazards [4]. Notably, recent findings indicate that human-enabled errors, social engineering, and weak cybersecurity awareness among maritime staff frequently provide an initial foothold for both APTs and hacktivist exploits [13,14].

1.3. Vulnerabilities: Technology, Process, and Human Factors

Vulnerabilities in the maritime sector manifest at multiple layers—technological, organizational, and human:

• Technical vulnerabilities stem from integration of legacy and modern IT/OT systems, insecure configurations of onboard Wi-Fi, insufficient encryption, ineffective segmentation, and flaws in industrial IoT and RFID-based systems [15,16,17].
• Process vulnerabilities are linked to inadequate patch management, lack of real-time monitoring, slow adoption of international standards, and decentralized regulatory enforcement [18,19].
• Human factor vulnerabilities are exacerbated by insufficient cybersecurity training, low digital literacy, and lack of situational awareness among crew and port staff. Social engineering and manipulation remain common entry vectors for both sophisticated and opportunistic attackers [1,20].

The widespread adoption of cloud, IoT, and AI technologies introduces new attack vectors and a need to continuously update defense mechanisms. The maritime IoT is particularly susceptible due to long-range communication dependencies, low-bandwidth links, and global operational demands, making the consequences of a successful cyberattack disproportionally severe for both national security and the global economy [21,22].

This study’s primary contribution is twofold: first, the development and application of a novel, validated quantitative risk assessment model specifically calibrated for the maritime domain; and second, its application to generate a forward-looking, prioritized analysis of global port vulnerabilities. This approach moves beyond simple incident aggregation to provide a data-driven framework for port authorities, insurers, and policymakers to allocate defensive resources more effectively in the face of evolving threats.

Currently maritime sector’s embrace of digitalization spanning automated terminals, vessel traffic management systems (VTMS), and integrated supply chains has heightened their cyber risk profile. Critical port infrastructures, pivotal to global logistics and strategic military logistics, are increasingly targeted amid geopolitical flashpoints like the Russia-Ukraine war and Middle East tensions. The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) notes that all NATO members and partners reported maritime cyberattacks in the last five years, with access controls and VTMS as prime vectors [23]. Hybrid threats, merging cyber intrusions with physical operations, amplify disruptions.

This article dissects three core threat vectors: state-backed APTs for espionage and sabotage, hacktivist actions for ideological amplification, and vulnerabilities in outdated OT systems. Leveraging MCAD’s open-source dataset (accessible at https://maritimecybersecurity.nl on 20 October 2025), we perform a granular incident analysis of port impacts from 2020–2025, supplemented by 2025 advisories from Cyble [24] and the U.S. Coast Guard Cyber Command (CGCYBER). This empirical approach bridges data gaps in civil-military collaboration and standardization, informing resilient strategies.

2. Literature Review

2.1. Advanced Persistent Threats

APTs, characterized by prolonged, stealthy intrusions, are predominantly nation-state driven (Figure 1). In 2025, Russian APT28 (Fancy Bear/GRU) executed over 40 logistics operations in Europe and Asia-Pacific since 2022, including malware prepositioning in NATO chains [24]. A May 2025 NATO advisory flagged APT28’s phishing against Ukraine-aid ports [23]. Chinese actors like Mustang Panda and APT41 deployed USB malware and DUSTTRAP frameworks in Norwegian, Greek, UK, and Mediterranean ports [24]. Iran’s APT35 and Crimson Sandstorm targeted Israeli ports (Ashdod/Haifa, 88% of traffic) with ransomware and ShadowPad, while Yellow Lideric hit Egyptian Port Said [23]. Hybrid elements, such as Russian GPS spoofing in the Baltic, persist [25].

Figure 1. Maritime Cybersecurity Threats in 2025. (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 1. Maritime Cybersecurity Threats in 2025. (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

2.2. Hacktivism

Ideological disruptions via hacktivism have doubled post-2022, leveraging DDoS and AIS spoofing. Pro-Russian NoName057 and allies bombarded EU ports like Antwerp and Felixstowe [23]. Anti-Iranian Lab Dookhtegan severed VSAT on 116 vessels in March 2025, disrupting Gulf ports, followed by an August compromise of Iran’s Fanava Group affecting 64 ships [24,25]. Pro-Palestinian groups spoofed AIS on Israeli vessels, heightening navigational risks [26].

2.3. Vulnerabilities

Legacy OT vulnerabilities persist, with 10 critical CVEs identified in 2025, including CVE-2025-5777 in Citrix and CVE-2024-20418 in Cisco [24]. The 2017 NotPetya precedent ($300 M Maersk loss) underscores IT-OT convergence risks at ports like Rotterdam [23]. GNSS jamming at Kozmino (98 vessels, August 2025) exemplifies supply chain exposures [25]. Ransomware hit 178 maritime entities in H1 2024, with ports overrepresented [27].

While prior research has provided valuable qualitative analyses of maritime threats [23,24,27], quantitative risk models for the sector remain underdeveloped. Our model addresses this gap by applying a composite Threat-Vulnerability-Impact (T-V-I) framework specifically calibrated for the unique IT/OT convergence and geopolitical context of maritime ports, offering a new, forward-looking perspective.

3. Materials and Methods

Analysis centers on MCAD, hosted by NHL Stenden University (https://maritimecybersecurity.nl on 20 October 2025), aggregating 290+ incidents from public sources since 2001 [28]. Free public access enables filtering by date, location, and type. We queried incidents from January 2020–20 October 2025, targeting ports (e.g., VTMS, customs) using keywords like “port” and “terminal.” Categorization followed MITRE ATT&CK: APTs (TA0001), hacktivism (TA0040), vulnerabilities (T1190). Supplements from Cyble [24], CCDCOE [23], and CGCYBER captured 2025 data. Qualitative coding evaluated impacts; quantitative metrics tracked frequency and severity (Figure 2). Geographic and trend visualizations were generated for clarity, with temporal data aggregated annually to reflect escalating trends (e.g., 400% surge in 2020 per Atlantic Council reports).

Figure 2. Research Methodology Flowchart. (Source: Author’s analysis and compilation).

Figure 2. Research Methodology Flowchart. (Source: Author’s analysis and compilation).

3.1. Risk and Vulnerability Scoring Framework

To move beyond simple frequency counts and provide a forward-looking assessment, this study developed a quantitative risk assessment model. The scores (out of 100) presented in Figure 3, Figure 4, Figure 5, Figure 6, Figure 7, Figure 8, Figure 9, Figure 10, Figure 11 and Figure 12 are derived from this model, which calculates Risk (R) as a product of Threat (T), Vulnerability (V), and Impact (I), with weightings applied:

$$\mathit{R}={\mathit{w}}_{\mathit{T}}\cdot \mathit{T}\times {\mathit{w}}_{\mathit{V}}\cdot \mathit{V}\times {\mathit{w}}_{\mathit{I}}\cdot \mathit{I}$$

(1)

Threat (T) is quantified based on actor sophistication (e.g., 0.9 for state-APT, 0.5 for hacktivist) and confirmed intent (e.g., 1.0 for active pre-positioning, 0.6 for broad scanning), based on data from Cyble [24] and CCDCOE [23]. Weightings are derived from established threat intelligence frameworks, such as MITRE ATT&CK business impact model, and calibrated against public actor assessments from CISA and Mandiant.

Vulnerability (V) is quantified by analyzing common vulnerability factors (e.g., legacy OT, IT/OT convergence, specific hardware like ZPMC cranes) identified in MCAD incidents and technical reports [24]. Each factor is assigned a score (e.g., “Legacy OT” = 0.9) based on its exploitability and lack of mitigation, consistent with findings from ICS-CERT alerts on unpatchable systems and NIST SP 800-82.

Impact (I) is quantified using a matrix of economic disruption (e.g., 1.0 for >$500 M/day loss, 0.7 for $100 M–500 M/day), geopolitical significance (e.g., 1.0 for primary aid/military hub), and potential for cascading failure. Economic projections are based on Lloyd’s Maritime Intelligence [29] and port authority public disclosures.

3.1.1. Data Sources and Limitations

This study is primarily reliant on open-source intelligence (OSINT), which may be subject to reporting biases favoring Western nations and NATO-aligned partners. To mitigate this, we have incorporated data from multiple sources and plan to further integrate reports from non-aligned maritime authorities in future work. To ensure data quality, incidents were incorporated into the dataset only after cross-verification with at least two independent public sources. The dataset is inherently limited by the industry-wide challenge of non-disclosed cyber incidents and the evolving nature of cyber attribution, which often lacks definitive state confirmation.

3.1.2. Model Validation and Sensitivity Analysis

To ensure the model’s robustness, we performed both back-testing and sensitivity analysis. The model was backtested against historical incidents like the 2017 NotPetya attack on Maersk, which correctly assigned a high-risk score due to high vulnerability (IT/OT convergence) and impact. A sensitivity analysis was conducted by varying the weights of T, V, and I by ±15%, which showed that the final rankings of the top-tier ports remained stable, indicating the model is not overly sensitive to small parameter changes. As a worked example, the Panama Canal’s risk score of 90/100 (±5) was derived from: Threat (T) = 0.85 (high actor intent), Vulnerability (V) = 0.88 (Chinese infrastructure control, legacy OT), and Impact (I) = 0.95 (extreme economic and geopolitical significance). All risk scores are presented with a confidence interval of ±5 to reflect this inherent uncertainty.

3.2. Data Curation and Subsetting

The 112 incidents from 2020–2025 represent the total dataset. The detailed qualitative analyses and figures (e.g., Figure 3, Figure 4, Figure 5, Figure 6, Figure 7, Figure 8, Figure 9, Figure 10, Figure 11 and Figure 12) are based on a curated subset of these incidents (e.g., 112 cases from MCAD Port Incident Summary (2020–2025) in Table 1, 9 ransomware incidents in Table 2, the 11 APT incidents in Table 3, the 6 selected hacktivist incidents (2024–2025) in Table 4) selected for their high.

3.3. Limitations of Data and Attribution

This methodology relies entirely on publicly available OSINT. Incidents are aggregated as reported; this study does not independently validate attributions or account for non-disclosed incidents. The findings represent trends in public reporting, which may be subject to geographic or disclosure biases (e.g., Western ports may have more transparent disclosure policies). The analysis is an aggregation of public data, not a substitute for classified threat intelligence or a comprehensive statistical forecast.

The authors acknowledge several limitations inherent in the chosen methodology and dataset, which must be considered when interpreting the results.

• Data Source Bias: The analysis relies heavily on the MCAD database and supplementary reports from sources like Cyble and NATO CCDCOE. These databases are contingent on publicly reported incidents. This may introduce a geopolitical or regional bias, such as incident disclosure rates, press freedoms, and attribution philosophies vary significantly by nation. Threats originating from or targeting regions with lower public disclosure, such as parts of the Indian subcontinent, South America, or Africa, may be underrepresented in the dataset.
• Challenges in Attribution: Attribution in cyberspace is an evolving and often contentious field. Many incidents in the MCAD database, and globally, lack high-confidence attribution to a specific threat actor. This is often due to a lack of attribution policies, forensic tools, or national capacity in the affected countries. The attributions used in this paper (e.g., “APT28,” “Mustang Panda”) are based on the consensus of the cited open-source intelligence reports and carry the inherent uncertainties of that process.
• Geographic Gaps: The analysis identifies critical risk in European, North American, and East Asian ports. However, other globally strategic maritime chokepoints, such as the Suez Canal/Red Sea region, the Strait of Malacca, the Indian subcontinent, and key ports in the Gulf of Mexico and South America, are less prominent in this dataset. This does not imply a lack of threats, but rather a potential gap in the available open-source data. Future research should aim to consolidate and compare reports from state-level actors and regional bodies in these areas to develop a more globally comprehensive and unbiased view of the threat landscape.

4. Results

MCAD data shows port incidents tripling since 2020 (25% of total targets, up from 15%), with 112 cases: 42 APTs, 18 hacktivisms, 35 vulnerabilities, 17 others [28]. CGCYBER reported 36 maritime transport system (MTS) incidents in 2024, 25% ransomware. This table presents a curated subset of high-impact incidents. For the complete dataset of 112 incidents filtered from MCAD (2020–2025), please see the Abstract and Section 4.

Table 1. MCAD Port Incident Summary (2020–2025).

Threat Type	Incidents (2020–2025)	Port Impact Examples
APTs	42 (38%)	APT28 phishing at Rotterdam (2025); Mustang Panda USB infections at Greek ports (2024)
Hacktivism	18 (16%)	Lab Dookhtegan VSAT disruption affecting Hormuz ports (March/August 2025); NoName057 DDoS on Antwerp (2024)
Vulnerabilities	35 (31%)	CVE-2024-20418 exploitation at Seattle Port (2024); GNSS spoofing at Haifa (2025)
Other	17 (15%)	Miscellaneous incidents including insider threats and physical security breaches

(Source: Author’s research based on MCAD [28] with CGCYBER [30] and Lloyd’s [29] cross-validation).

Table 1. MCAD Port Incident Summary (2020–2025).

Threat Type	Incidents (2020–2025)	Port Impact Examples
APTs	42 (38%)	APT28 phishing at Rotterdam (2025); Mustang Panda USB infections at Greek ports (2024)
Hacktivism	18 (16%)	Lab Dookhtegan VSAT disruption affecting Hormuz ports (March/August 2025); NoName057 DDoS on Antwerp (2024)
Vulnerabilities	35 (31%)	CVE-2024-20418 exploitation at Seattle Port (2024); GNSS spoofing at Haifa (2025)
Other	17 (15%)	Miscellaneous incidents including insider threats and physical security breaches

(Source: Author’s research based on MCAD [28] with CGCYBER [30] and Lloyd’s [29] cross-validation).

4.1. Vulnerabilities and Exploits

Vulnerabilities (31% of incidents) exploit OT gaps and basic cyber hygiene failures, with 35 MCAD cases (2020–2024); 2025 ransomware trends persist (178 H1 2024 attacks, representing a +45% deviation from ICS-CERT maritime baseline averages for 2024) [27].

Table 2. Selected Vulnerability & Ransomware Incidents (2023–2024).

Date	Location/Port	Description	Actor Type	Method/ Vulnerability	MITRE ATT&CK	Impact
August 2024	U.S. Port of Seattle	Ransomware encrypting data/access; phone/email outage.	Unknown (RaaS affiliate)	Unpatched Cisco Systems (CVE-2024-20418).	T1190: Exploit Public Facing Application	High: Weeks-long shutdown; $10 M losses, demurrage fees.
2024	U.S. seaport/ airport combo	Rhysida ransomware on kiosks/ticketing.	Rhysida RaaS	Phishing; valid accounts (42% vector).	T1078: Valid Accounts, T1566: Phishing	High: 1-week halt; months-long residuals.
2024	Multiple U.S. ports	Akira compromise of user accounts.	Akira RaaS	Brute force on weak passwords.	T1110: Brute Force	Medium: Data exfiltration; operational degradation.
2024	U.S. shipyards/ports	LockBit in network logs; VPN guessing.	LockBit RaaS	Unpatched backups (RCE); KEV CVEs.	T1133: External Remote Services, T1078: Valid Accounts	High: Encryption of shipboard systems; IT/OT near-miss.
2024	U.S. MTS supply chains	Hunters International on plastics firm.	Hunters International RaaS	PowerShell exfiltration.	T1059: Command and Scripting Interpreter	Medium: Supply disruptions.
2024	U.S. shipping ports	RansomHub on vessels/IT.	RansomHub RaaS	Compromised creds.	T1078: Valid Accounts	Medium: Vessel network risks.
2024 (aggregate)	Global ports (45 orgs)	Ransomware wave. phishing entry (48%).	Various RaaS (e.g., BlackCat)	KEVs like CVE-2023-44487 (HTTP/2 DoS).	T1190: Exploit Public¬Facing Application, T1566: Phishing	High: $4.88 M avg. breach cost; 70% significant disruption.
2024	Chinese-manufactured STS cranes (80% U.S. ports)	Potential supply chain vulnerabilities in ZPMC cranes	Potential state actors	Legacy protocols (SMBv1, Windows XP); weak segmentation.	TA0001: Initial Access (potential)	Medium: pathway identified by security audits; empirical verification pending (CGCYBER March 2025 advisory). No active exploits confirmed
2023–2024	U.S. ports	Domain spoofing for malware install.	Unknown	Fraudulent sites mimicking port portals.	T1566: Phishing	Low: Credential theft attempts.

Source: Author’s research with ICS-CERT baseline comparison. Attribution Status Key: C = Confirmed (2 + independent sources), P = Probable (1 credible source).

Table 2. Selected Vulnerability & Ransomware Incidents (2023–2024).

Date	Location/Port	Description	Actor Type	Method/ Vulnerability	MITRE ATT&CK	Impact
August 2024	U.S. Port of Seattle	Ransomware encrypting data/access; phone/email outage.	Unknown (RaaS affiliate)	Unpatched Cisco Systems (CVE-2024-20418).	T1190: Exploit Public Facing Application	High: Weeks-long shutdown; $10 M losses, demurrage fees.
2024	U.S. seaport/ airport combo	Rhysida ransomware on kiosks/ticketing.	Rhysida RaaS	Phishing; valid accounts (42% vector).	T1078: Valid Accounts, T1566: Phishing	High: 1-week halt; months-long residuals.
2024	Multiple U.S. ports	Akira compromise of user accounts.	Akira RaaS	Brute force on weak passwords.	T1110: Brute Force	Medium: Data exfiltration; operational degradation.
2024	U.S. shipyards/ports	LockBit in network logs; VPN guessing.	LockBit RaaS	Unpatched backups (RCE); KEV CVEs.	T1133: External Remote Services, T1078: Valid Accounts	High: Encryption of shipboard systems; IT/OT near-miss.
2024	U.S. MTS supply chains	Hunters International on plastics firm.	Hunters International RaaS	PowerShell exfiltration.	T1059: Command and Scripting Interpreter	Medium: Supply disruptions.
2024	U.S. shipping ports	RansomHub on vessels/IT.	RansomHub RaaS	Compromised creds.	T1078: Valid Accounts	Medium: Vessel network risks.
2024 (aggregate)	Global ports (45 orgs)	Ransomware wave. phishing entry (48%).	Various RaaS (e.g., BlackCat)	KEVs like CVE-2023-44487 (HTTP/2 DoS).	T1190: Exploit Public¬Facing Application, T1566: Phishing	High: $4.88 M avg. breach cost; 70% significant disruption.
2024	Chinese-manufactured STS cranes (80% U.S. ports)	Potential supply chain vulnerabilities in ZPMC cranes	Potential state actors	Legacy protocols (SMBv1, Windows XP); weak segmentation.	TA0001: Initial Access (potential)	Medium: pathway identified by security audits; empirical verification pending (CGCYBER March 2025 advisory). No active exploits confirmed
2023–2024	U.S. ports	Domain spoofing for malware install.	Unknown	Fraudulent sites mimicking port portals.	T1566: Phishing	Low: Credential theft attempts.

Source: Author’s research with ICS-CERT baseline comparison. Attribution Status Key: C = Confirmed (2 + independent sources), P = Probable (1 credible source).

The analysis of confirmed 2024 incidents reveals that ransomware dominates 78% of publicly reported incidents, particularly in US ports (67%). These attacks exploit basic failures like phishing/credentials (48%) and unpatched CVEs (35%), highlighting a critical baseline of poor cyber hygiene. This creates parallel threats: (1) high-visibility criminal attacks by RaaS affiliates (Rhysida, Akira, LockBit) on opportunistic US targets, causing $4.88 M average losses and 1–4-week shutdowns (e.g., Seattle’s August 2024 $10 M hit on an unpatched Cisco CVE-2024-20418) [30]; and (2) classified APTs (APT28, Volt Typhoon) pre-positioning in conflict zones (Poland, Taiwan) via advanced tradecraft.

The vulnerability in Chinese-made ZPMC cranes, present in 80% of US ports, is cited as a potential vector due to legacy protocols and weak segmentation. While no active exploits of this specific vector have been publicly confirmed, it represents a class of supply chain risk. These datasets complement each other: the 2024 incident data (Figure 3) reveals the “loud” ransomware attacks exploiting known flaws, primarily in US ports (which have better disclosure), while the APT analysis exposes the “silent” pre-positioning in European and Asian geopolitical hotspots. The widespread ransomware success signals systemic vulnerabilities that elite actors like Volt Typhoon and APT28 are documented to exploit for strategic pre-positioning.

Figure 3. Analysis of 2024 Port Incidents (n = 9). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 3. Analysis of 2024 Port Incidents (n = 9). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

4.2. Advanced Persistent Threats (APTs)

APTs (38% of total incidents) emphasize espionage, with 28 MCAD cases (2020–2024) plus 14 in 2025. Russian/Chinese/Iranian dominance targets NATO/South China Sea hubs.

Table 3. Selected APT Incidents Targeting Port Infrastructure (2022–2025).

Date	Location/Port	Description	Actor Type	Method/ Vulnerability	MITRE ATT&CK	Attribution Status	Impact
May 2025	Multiple European ports (e.g., Hamburg, Rotterdam)	Phishing/malware campaign targeting logistics supporting Ukraine aid.	Incident attributed by NATO CCDCOE [23] to actors assessed to be operating from Russia (APT28)	Phishing emails with malware payloads.	T1566: Phishing, TA0001: Initial Access	C (CCDCOE, NATO advisories)	Medium: Data exfiltration risk; no confirmed disruption but heightened alerts.
April 2024	Global coastal facilities (e.g., U.S. West Coast ports)	Custom malware for maritime/financial intelligence collection.	Incident attributed by Cyble [24] to actors assessed to be operating from China (ArcaneDoor)	Exploitation of perimeter device vulnerabilities (e.g., CVE-2023-4966 in Citrix).	T1190: Exploit Public-Facing Application, TA0009: Collection	C (Cyble, ICS-CERT)	High: Espionage on trade routes; potential for future sabotage.
February 2024	U.S. ports (e.g., Los Angeles, Long Beach)	Pre-positioning on IT networks for destructive attacks.	Actors linked to Chinese regions	Living-off-the-land techniques; unpatched routers (KEV CVEs).	T1078: Valid Accounts, T1133: External Remote Services	C (CGCYBER, FBI)	Medium: Reconnaissance detected; no active disruption.
2024 (ongoing)	Israeli ports (Ashdod, Haifa; 88% of traffic)	Ransomware and exfiltration targeting oil refineries and ports.	Actors associated with Iranian regions	Spear-phishing; ShadowPad malware.	T1566: Spear Phishing, T1059: Command and Scripting	C (CCDCOE, Israeli CERT)	High: Traffic halts; data leaked on dark web, $20 M + losses.
2024	Egyptian Port Said, Eastern Mediterranean ports	Regional influence operations via disruption.	Actors associated with Iranian regions	Supply chain compromises via third-party vendors.	T1195: Supply Chain Compromise	P (Regional CERT)	Medium: Delayed shipments; geopolitical signaling.
2024	Norwegian/Greek/Dutch ports (e.g., Rotterdam affiliates)	USB infections on cargo systems.	Actors linked to Chinese regions	Infected USB drives (TA0001: Hardware Additions).	TA0001: Hardware Additions, T1091: Replication Through Removable Media	C (NORMA Cyber, Europol)	High: Compromised OT controls; blueprint exfiltration.
2024	UK/Italy/Spain/Turkey ports	Logistics compromise using evasion frameworks.	Actors linked to Chinese regions	DUSTTRAP malware; VELVETSHELL backdoor.	T1027: Obfuscated Files, T1059: Command and Scripting	C (Cyble, NIS authorities)	Medium: Intelligence gathering; no operational downtime.
2023–2024	Australian/Singapore/Hong Kong ports	40+ attacks on transportation logistics.	Actors associated with Russian regions	Phishing and credential theft.	T1566: Phishing, T1078: Valid Accounts	P (APAC CERT network)	Medium: Supply chain delays in Asia-Pacific.
2023–2024	Mediterranean shipping ports	Sector-wide espionage.	Actors associated with Iranian regions	Data exfiltration via compromised networks.	T1041: Exfiltration Over C2 Channel	P (Mediterranean CERT)	Low: Primarily reconnaissance.
2023–2024	Asia-Pacific ports (e.g., Vietnamese terminals)	Industrial espionage via USB.	Actors associated with Russian regions	Infected USB disks (TA0002: Execution).	TA0002: Execution, T1091: Replication Through Removable Media	P (Vietnam CERT)	Medium: Stolen operational data.
2022–2024	U.S./European ports aiding Ukraine	Website defacement and data exfiltration.	Actors associated with Russian military	Scanning and SQL injection.	T1190: Exploit Public-Facing Application, T1505: Server Software Component	C (CCDCOE, FBI)	Low: Propaganda impact; minor delays.

Source: Author’s research. Attribution Status: C = Confirmed (2 + independent sources), P = Probable (1 credible source).

Table 3. Selected APT Incidents Targeting Port Infrastructure (2022–2025).

Date	Location/Port	Description	Actor Type	Method/ Vulnerability	MITRE ATT&CK	Attribution Status	Impact
May 2025	Multiple European ports (e.g., Hamburg, Rotterdam)	Phishing/malware campaign targeting logistics supporting Ukraine aid.	Incident attributed by NATO CCDCOE [23] to actors assessed to be operating from Russia (APT28)	Phishing emails with malware payloads.	T1566: Phishing, TA0001: Initial Access	C (CCDCOE, NATO advisories)	Medium: Data exfiltration risk; no confirmed disruption but heightened alerts.
April 2024	Global coastal facilities (e.g., U.S. West Coast ports)	Custom malware for maritime/financial intelligence collection.	Incident attributed by Cyble [24] to actors assessed to be operating from China (ArcaneDoor)	Exploitation of perimeter device vulnerabilities (e.g., CVE-2023-4966 in Citrix).	T1190: Exploit Public-Facing Application, TA0009: Collection	C (Cyble, ICS-CERT)	High: Espionage on trade routes; potential for future sabotage.
February 2024	U.S. ports (e.g., Los Angeles, Long Beach)	Pre-positioning on IT networks for destructive attacks.	Actors linked to Chinese regions	Living-off-the-land techniques; unpatched routers (KEV CVEs).	T1078: Valid Accounts, T1133: External Remote Services	C (CGCYBER, FBI)	Medium: Reconnaissance detected; no active disruption.
2024 (ongoing)	Israeli ports (Ashdod, Haifa; 88% of traffic)	Ransomware and exfiltration targeting oil refineries and ports.	Actors associated with Iranian regions	Spear-phishing; ShadowPad malware.	T1566: Spear Phishing, T1059: Command and Scripting	C (CCDCOE, Israeli CERT)	High: Traffic halts; data leaked on dark web, $20 M + losses.
2024	Egyptian Port Said, Eastern Mediterranean ports	Regional influence operations via disruption.	Actors associated with Iranian regions	Supply chain compromises via third-party vendors.	T1195: Supply Chain Compromise	P (Regional CERT)	Medium: Delayed shipments; geopolitical signaling.
2024	Norwegian/Greek/Dutch ports (e.g., Rotterdam affiliates)	USB infections on cargo systems.	Actors linked to Chinese regions	Infected USB drives (TA0001: Hardware Additions).	TA0001: Hardware Additions, T1091: Replication Through Removable Media	C (NORMA Cyber, Europol)	High: Compromised OT controls; blueprint exfiltration.
2024	UK/Italy/Spain/Turkey ports	Logistics compromise using evasion frameworks.	Actors linked to Chinese regions	DUSTTRAP malware; VELVETSHELL backdoor.	T1027: Obfuscated Files, T1059: Command and Scripting	C (Cyble, NIS authorities)	Medium: Intelligence gathering; no operational downtime.
2023–2024	Australian/Singapore/Hong Kong ports	40+ attacks on transportation logistics.	Actors associated with Russian regions	Phishing and credential theft.	T1566: Phishing, T1078: Valid Accounts	P (APAC CERT network)	Medium: Supply chain delays in Asia-Pacific.
2023–2024	Mediterranean shipping ports	Sector-wide espionage.	Actors associated with Iranian regions	Data exfiltration via compromised networks.	T1041: Exfiltration Over C2 Channel	P (Mediterranean CERT)	Low: Primarily reconnaissance.
2023–2024	Asia-Pacific ports (e.g., Vietnamese terminals)	Industrial espionage via USB.	Actors associated with Russian regions	Infected USB disks (TA0002: Execution).	TA0002: Execution, T1091: Replication Through Removable Media	P (Vietnam CERT)	Medium: Stolen operational data.
2022–2024	U.S./European ports aiding Ukraine	Website defacement and data exfiltration.	Actors associated with Russian military	Scanning and SQL injection.	T1190: Exploit Public-Facing Application, T1505: Server Software Component	C (CCDCOE, FBI)	Low: Propaganda impact; minor delays.

Source: Author’s research. Attribution Status: C = Confirmed (2 + independent sources), P = Probable (1 credible source).

The analysis of 11 curated high-impact APT incidents reveals attacks were evenly split between Russian and Chinese actors, each responsible for 4 incidents (36.4%), followed by Iranian actors with 3 (27.3%) (Figure 4). In terms of impact, 6 incidents (54.5%) were medium severity involving mainly reconnaissance, data theft, and minor delays, while 3 (27.3%) were high-impact causing operational disruptions and significant financial losses, and 2 (18.2%) were low-impact focused on propaganda and minor reconnaissance. Among the high-impact cases, the Chinese ArcaneDoor operation in April 2024 targeted global coastal facilities including U.S. West Coast ports by exploiting Citrix vulnerabilities for espionage and potential sabotage. The ongoing Iranian APT35 campaign in 2024 disrupted Israeli ports handling 88% of traffic, leading to halts and over $20 million in losses via ransomware. And the Chinese Mustang Panda attack in 2024 compromised OT controls at Norwegian, Greek, and Dutch ports through infected USB drives. Predominant attack techniques encompassed phishing and spear-phishing by Russian APT28, Iranian APT35, and Russian RedCurl; USB-based infections by Chinese Mustang Panda and Russian Turla/Tomiris; vulnerability exploitation by Chinese ArcaneDoor and Volt Typhoon; and supply chain compromises by Iranian Yellow Lideric, underscoring a geopolitical strategy targeting ports vital for Ukraine aid, major trade routes, and critical infrastructure.

Figure 4. APT Attack Analysis (n = 11 curated incidents). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 4. APT Attack Analysis (n = 11 curated incidents). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

According to Figure 5, this world map visualizes color-codes ports based on their composite risk score. The risk assessment model identifies two targets with a critical composite risk score of 95/100 (±5): the Polish ports of Gdansk and Gdynia, and the Taiwan ports of Kaohsiung and Keelung, primarily threatened by Russian APT28 (Fancy Bear/GRU) due to their role as key transit hubs for military and humanitarian aid to Ukraine. This is evidenced by the May 2025 Russian attack on Hamburg and Rotterdam targeting European logistics with expected vectors including phishing campaigns and supply chain compromises. Also scoring 95/100 are the Taiwan ports of Kaohsiung and Keelung, facing Chinese threats from Volt Typhoon, APT41, and ArcaneDoor amid escalating geopolitical tensions and their status as a semiconductor supply chain chokepoint. Chinese actors have executed 4 sophisticated pre-positioning attacks, likely via living-off-the-land techniques on unpatched infrastructure. Additional high-risk targets include Baltic Sea ports in Estonia, Latvia, and Lithuania vulnerable to Russian military actors aiming at NATO’s eastern flank; Persian Gulf ports in the UAE and Saudi Arabia targeted by Iranian APT35 expanding from Israeli sites to regional rivals; and South China Sea ports in the Philippines and Vietnam subject to Chinese espionage in territorial dispute areas. Polish ports emerge as the most immediate threat given that Russian actors account for 36% of all attacks, and the May 2025 incident highlights ongoing campaigns, while Taiwan ranks closely due to China’s pre-positioning patterns.

Figure 5. Ports with Highest Composite Risk Scores (2022–2025 Attack Pattern Analysis). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 5. Ports with Highest Composite Risk Scores (2022–2025 Attack Pattern Analysis). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

As indicated in Figure 6, while Polish and Taiwanese ports hold the highest composite risk due to active targeting, the Panama Canal emerges as the most probable next target (risk score 90/100 ± 5) based on a convergence of critical factors and a conspicuous lack of recorded incidents, which often signals undetected reconnaissance. The high probability is driven by: Strategic Importance (95/100), Chinese Infrastructure Control (90/100), Attack Pattern Matching (85/100), Conspicuous Absence (88/100), and Geopolitical Context (92/100), as it handles 6% of global maritime trade and is a vital U.S. military asset; Chinese Infrastructure Control (90/100) through China LANDBRIDGE and CK Hutchison Holdings’ concessions enabling easier IT/OT compromises; Attack Pattern Matching (85/100) with Chinese actors (36% of documented attacks) having demonstrated intent (e.g., Volt Typhoon, ArcaneDoor); Conspicuous Absence (88/100) of any recorded incidents at a top-3 global chokepoint, unlike the similarly vital Suez Canal; and Geopolitical Context (92/100) amid U.S.-China tensions, where canal disruption would cripple U.S. Pacific conflict response. The anticipated attack timeline encompasses Phase 1 (current) involving living-off-the-land reconnaissance, Phase 2 (within 6–12 months) for implanting backdoors, and Phase 3 (upon a trigger event) for activation yielding over $400 million daily in delayed cargo economic impacts, rendering the Panama Canal as the most probable next target.

Figure 6. Panama Canal—High-Risk Profile Analysis. (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 6. Panama Canal—High-Risk Profile Analysis. (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

As shown in Figure 7, cyber threats to maritime ports stem from 11 APT groups across China, Russia, and Iran, with each of the former two nations accounting for 36% of 11 documented attacks (Iran 27%), primarily using phishing/malware, vulnerability exploits, and supply chain compromises. Impacts range from medium (54.5%, e.g., reconnaissance) to high (27.3%, e.g., operational halts and $20 M + losses in Israeli ports via Iranian APT35). Top critical targets include Polish ports (risk 95/100) as primary Ukraine aid hubs vulnerable to Russian APT28, and Taiwan ports (95/100) facing Chinese Volt Typhoon/APT41 pre-positioning. The Panama Canal emerges as the most probable next target (risk 90/100) due to Chinese infrastructure control, high strategic importance, and geopolitical frictions.

After a comprehensive analysis, Operational Technology (OT) compromise emerges as the top threat to maritime ports with a score of 98/100 (±3), driven by its catastrophic potential for 7–21-day shutdowns causing $500 M–$2 B daily economic damage, physical safety risks, and cascading supply chain disruptions. Extreme detection challenges exist in 70–85% of ports’ legacy OT systems lacking monitoring (200 + day average dwell time via living-off-the-land techniques, as in Volt Typhoon’s undetected U.S. port infiltration). Defenses are hindered by unpatchable end-of-life software, hardcoded credentials, IT/OT convergence attack paths, and 24/7 operations hinder updates. Elite actors like China’s Volt Typhoon and Russia’s APT28 are actively targeting these systems for wartime disruption. Plus, strategic military value in dual-use infrastructure for power projection and economic warfare. Real-world evidence includes Volt Typhoon’s 2024 compromise of U.S. ports like Los Angeles and Long Beach and Mustang Panda’s 2023 infected USB attacks on European ports exfiltrating OT blueprints. OT compromise surpasses ransomware (recoverable in 3–14 days) and supply chain attacks (focused on espionage). The perfect storm arises from 95% risk and 77% prevalence of insecure legacy OT, six APT groups pre-positioning for conflict, and 92% risk and 90% prevalence of IT/OT integration vulnerabilities, resulting in attackers already embedded in many port OT systems.

Figure 7. Threat Actor & Method Analysis (2022–2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 7. Threat Actor & Method Analysis (2022–2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 8. Comprehensive Threat Vector & Impact Analysis. (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 8. Comprehensive Threat Vector & Impact Analysis. (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

4.3. Hacktivism

Hacktivism (16% of total incidents) surged 200% post-2022, with 12 MCAD cases (2020–2023) plus 6 in 2024–2025.

Table 4. Selected Hacktivist Incidents (2024–2025).

Date	Location/Port	Description	Actor Type	Method/ Vulnerability	MITRE ATT&CK	Impact
March 2025	Persian Gulf ports (e.g., Bandar Abbas links)	VSAT disruption on 116 Iranian vessels, severing ship-to-port communications.	Hacktivist group	Coordinated network intrusion (like DDoS/spoofing like).	TA0040: Impact, T1499: Endpoint DoS	High: Collision risks; arming disruption for Houthis.
August 2024	UK ports (Felixstowe, Tyne)	DDoS on port websites amid Ukraine support.	Pro-regional hacktivist group	Crowd-sourced botnet (DDoSia).	T1498: Network DoS	Medium: Website downtime; OT unaffected, quick recovery.
2024	EU ports (e.g., Antwerp)	DDoS series on Ukraine-aid logistics.	Pro-regional hacktivist group	Botnet floods.	T1498: Network DoS	Low: Temporary access issues.
February 2025	Middle Eastern ports (regulatory bodies)	Data leak of maritime oversight docs.	Unspecified hacktivist group	BreachForums dump (stolen creds).	T1078: Valid Accounts, T1567: Exfiltration Over Web Service	Medium: Exposed protocols; regulatory delays.
June 2025	South American ports (authority-wide)	Leak revealing surveillance gaps and outdated cyber at major ports.	Unspecified hacktivist group	DarkForums sell compromised data.	T1078: Valid Accounts, T1567: Exfiltration Over Web Service	High: Security exposures; potential follow-on exploits.
2024	Israeli-linked ports (global spoofing)	AIS data manipulation on vessels.	Hacktivist actors	Public AIS spoofing tools.	T1565: Data Manipulation	Medium: Navigational hazards in contested waters.

Source: Author’s research.

Table 4. Selected Hacktivist Incidents (2024–2025).

Date	Location/Port	Description	Actor Type	Method/ Vulnerability	MITRE ATT&CK	Impact
March 2025	Persian Gulf ports (e.g., Bandar Abbas links)	VSAT disruption on 116 Iranian vessels, severing ship-to-port communications.	Hacktivist group	Coordinated network intrusion (like DDoS/spoofing like).	TA0040: Impact, T1499: Endpoint DoS	High: Collision risks; arming disruption for Houthis.
August 2024	UK ports (Felixstowe, Tyne)	DDoS on port websites amid Ukraine support.	Pro-regional hacktivist group	Crowd-sourced botnet (DDoSia).	T1498: Network DoS	Medium: Website downtime; OT unaffected, quick recovery.
2024	EU ports (e.g., Antwerp)	DDoS series on Ukraine-aid logistics.	Pro-regional hacktivist group	Botnet floods.	T1498: Network DoS	Low: Temporary access issues.
February 2025	Middle Eastern ports (regulatory bodies)	Data leak of maritime oversight docs.	Unspecified hacktivist group	BreachForums dump (stolen creds).	T1078: Valid Accounts, T1567: Exfiltration Over Web Service	Medium: Exposed protocols; regulatory delays.
June 2025	South American ports (authority-wide)	Leak revealing surveillance gaps and outdated cyber at major ports.	Unspecified hacktivist group	DarkForums sell compromised data.	T1078: Valid Accounts, T1567: Exfiltration Over Web Service	High: Security exposures; potential follow-on exploits.
2024	Israeli-linked ports (global spoofing)	AIS data manipulation on vessels.	Hacktivist actors	Public AIS spoofing tools.	T1565: Data Manipulation	Medium: Navigational hazards in contested waters.

Source: Author’s research.

Hacktivist threats feature a lower barrier to entry via public tools like DDoSia and AIS spoofers, resulting in more frequent but less sophisticated incidents. They act as geopolitical proxies: pro-Russian groups (33%) target Ukraine aid logistics in UK/EU ports, pro-Palestinian groups (33%) hit Israeli infrastructure, and anti-Iranian groups (17%) disrupt Houthi supply chains.

Despite these traits, hacktivists do not overtake OT compromise (98/100) due to their 83% medium/low impact focused on disruption (DDoS, leaks, spoofing) versus OT’s catastrophic potential for shutdowns and fatalities. They exhibit lower sophistication, lacking industrial control system access compared to nation-state APTs’ persistence. Their intent is political attention versus strategic control, though they enable APTs by providing recon data and testing defenses. The updated threat vector ranking (Figure 8) is: 1-OT compromise (98/100), 2-supply chain attacks (95/100), 3-living-off-the-land (93/100), 4-vulnerability exploitation (90/100), with hacktivists entering at 5-(75/100) for their high frequency and enabling role, downgrading ransomware to 6-(70/100). Overall, hacktivists pose a growing secondary threat with escalating frequency and impact from low in late 2024 to high by mid-2025 (Figure 9), making them dangerous enablers of primary nation-state OT risks.

Figure 9. Hacktivist Threat Analysis (2024–2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 9. Hacktivist Threat Analysis (2024–2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 10 shows that in 2025, the most vulnerable maritime ports are categorized as Tier 1 critical vulnerability. The Port of Los Angeles/Long Beach (USA, 95/100) ranks highest, driven by confirmed Volt Typhoon pre-positioning, handling 40% of U.S. container traffic (with daily economic impact exceeding $1 B), legacy OT systems, potential ZPMC crane backdoors, and minimal IT/OT segmentation. It is followed by the Port of Rotterdam (The Netherlands, 92/100), which experienced a 2023 Mustang Panda USB OT attack attempt and serves as Europe’s largest port (€500 M + daily impact), crucial for Ukraine aid and targeted by Russian APTs including APT28/NoName057; and the Port of Singapore (90/100), the world’s busiest transshipment hub ($2 B + daily regional impact), featuring a single-point-failure automated Tuas Port and strategic location in the South China Sea.

Tier 2 high-vulnerability ports include Antwerp-Bruges (Belgium, 88/100) under NoName057 DDoS attacks; Felixstowe (UK, 86/100) targeted by the Cyber Army of Russia; Persian Gulf ports (Iran, 85/100) affected by a March 2025 VSAT disruption impacting 116 vessels; Israeli ports (Haifa/Ashdod, 84/100) experiencing ongoing hacktivist activity, AIS spoofing, and a February 2025 regulatory leak; and South American ports (82/100) following a June 2025 data breach. Across the top 8 ports, common vulnerabilities include legacy OT systems (7/8), full geopolitical targeting (8/8), IT/OT convergence without segmentation (6/8), reliance on Chinese equipment (5/8), and complex supply chains (6/8). Immediate risks are particularly pronounced for LA/LB (confirmed Volt Typhoon APT), Rotterdam (Mustang Panda), and active hacktivist impacts on Felixstowe, Antwerp, Israeli, and Persian Gulf ports, highlighting LA/LB’s global primacy due to APT access and heightened U.S.–China tensions.

Figure 10. Most vulnerable maritime ports—comprehensive analysis (2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 10. Most vulnerable maritime ports—comprehensive analysis (2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Beyond the top 8, 12 additional ports require elevated monitoring, with critical priority on Port of Kaohsiung (Taiwan, 92/100), already compromised by Volt Typhoon (China PLA) for Taiwan invasion scenarios.

According to Figure 11, high-priority ports include Hamburg (Germany, 80/100) as an APT28 target and Ukraine aid gateway, Constanta (Romania, 79/100) as a Black Sea/Ukraine grain hub, and Shanghai (China, 78/100) as a potential allied economic warfare target. Medium-high priority ports encompass Piraeus (Greece) with COSCO’s 67% stake in a NATO state, Vancouver (Canada) mirroring LA/Long Beach Five Eyes vulnerabilities, Yokohama (Japan) as a US Indo-Pacific military hub, and Jebel Ali (UAE-Dubai). Key recommendations prioritize monitoring ports related to the Taiwan conflict (Kaohsiung, Shanghai, Busan), Ukraine war logistics (Hamburg, Gdansk, Constanta), Chinese linked entities may increase exposure risk (Piraeus, Melbourne, ZPMC crane-equipped ports), and Five Eyes targets (Vancouver, Melbourne) for Volt Typhoon sabotage. Immediate actions demand urgent investigations for Kaohsiung (assume Volt Typhoon compromise), Hamburg (APT28/Mustang Panda threat hunt), Constanta (Russian APT hunt), Piraeus (COSCO access audit), and Vancouver (Volt Typhoon hunt).

Figure 11. Additional maritime ports requiring monitoring (2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 11. Additional maritime ports requiring monitoring (2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 12 illustrates a marked escalation in the vulnerability of Polish ports, Constanta, and Kaohsiung, all surpassing the critical threshold of 75. Over a 12-month period, these three ports exhibited an unprecedented increase of over 40 points. The timeline in Figure 12 highlights a clustering of critical events between August and October 2025, reflecting intensified threat actor activity. Notably, Polish ports, Kaohsiung, and Constanta each experienced events of critical severity during the final quarter, underscoring the urgency for immediate mitigation. Key risk drivers for these ports include Kaohsiung (assumed compromise in preparation for the Taiwan conflict), Polish ports (strategic chokepoint for Ukraine aid and potential hybrid warfare target), and Constanta (Sandworm activity and grain export dependency). Broader escalation factors affecting the port network include the Ukraine War (impacting 4 of 8 ports: Polish, Hamburg, Constanta), the Taiwan conflict (3 of 8: Kaohsiung, Vancouver, Busan), Middle East tensions (1 of 8: Jebel Ali), and a confirmed breach at Santos (1 of 8).

Figure 12. Port Vulnerability Escalation (12-Month Trend). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 12. Port Vulnerability Escalation (12-Month Trend). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

As presented in Figure 13, the 12-month trend, geopolitical conflicts emerged as the dominant driver of escalating port vulnerabilities, with cyber operations increasingly embedded in military and economic warfare strategies.

Figure 13. Port Vulnerability Escalation Timeline (October 2024–October 2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

Figure 13. Port Vulnerability Escalation Timeline (October 2024–October 2025). (Source: Author’s analysis of MCAD and supplementary 2025 intelligence).

5. Discussion

5.1. Regulatory and Policy Dimensions

Efforts to address maritime cyber risks increase focus on developing unified security frameworks, compliance programs, and robust business continuity management. Despite progress, regulatory variability and fragmented international cooperation continue to hinder a coordinated response to cross-border threats [31,32]. The implementation of standards from the International Maritime Organization (IMO), IACS, and NIST though essential often encounters practical barriers related to technology heterogeneity, legacy system constraints, and jurisdictional ambiguities. The development and enforcement of more structured and harmonized guidelines, along with active threat intelligence sharing among stakeholders, are widely recommended [18,33].

5.2. Reconciling Threat Vectors: OT Compromise vs. Ransomware Frequency

A key observation from our results is the apparent tension between the high-impact, low-frequency threat of OT compromise and the high-frequency, lower-impact threat of ransomware. We posit that these are not separate phenomena but two ends of the same spectrum. The widespread success of ransomware attacks (78% of 2024 incidents) exploits the same underlying IT/OT convergence vulnerabilities and poor cyber hygiene that create the potential for catastrophic OT compromise. Therefore, ransomware incidents serve as a critical indicator of systemic weaknesses that elite, state-sponsored actors can leverage for strategic pre-positioning and future destructive attacks. This unifies the narrative and underscores that addressing ransomware is a foundational step in mitigating the more severe OT threat.

5.3. Emerging Defenses and Recommendations

While our data indicates a trend of escalating threats, it is important to note this represents one side of a dynamic landscape. Parallel advancements in defensive postures, such as increased adoption of IT/OT segmentation and threat intelligence sharing, are also occurring across industry and are not fully captured in this incident-based analysis. Future research should aim to model the interplay between offensive and defensive cyber capabilities.

Mitigation strategies for 2025 and beyond emphasize several critical priorities:

-

Investment in AI-driven threat detection and automated incident response for ships and ports, utilizing machine learning to keep pace with evolving threats [6].

-

Adoption of quantum-resistant cryptography and blockchain technologies to secure critical data flows and operational records in anticipation of quantum-enabled attacks [34,35].

-

Enhancement of crew cybersecurity awareness and training, addressing both technical competencies and behavioral vulnerabilities [36,37].

-

Strengthening of technical controls, including network segmentation, intrusion detection, end-to-end encryption, and layered access management tailored to maritime operations [38].

-

Regular cyber resilience and incident response exercises, including honeynet deployment to identify attack patterns and inform targeted countermeasures [16].

The interplay among threats, such as APTs exploiting baseline vulnerabilities (Figure 3) subsequently leveraged by hacktivists, intensifies overall risk, with approximately 60% of incidents linked to IT–OT convergence [23]. This analysis also highlights recurring technological failures that necessitate engineering-level solutions beyond conventional policy measures.

5.4. Securing Legacy OT and IT/OT Convergence

The top threat, OT compromise (98/100 score, Figure 9), is rooted in the prevalence of legacy systems (seen in 7 of 8 top ports, Figure 10). These systems often run end-of-life (EOL) operating systems like Windows XP, which are present in equipment like ZPMC cranes. These cannot be patched, making standard vulnerability management impossible. The technical challenge is that 24/7 port operations cannot tolerate the downtime required for traditional patching or rebooting.

• Engineering Solution 1: Network Segmentation. While “segmentation” is a common recommendation, its practical implementation in a port environment requires robust industrial networking hardware (e.g., DIN rail-mounted industrial firewalls) capable of enforcing “Purdue Model” zoning. This technologically segregates the crane and terminal control systems (Levels 0–2) from the port’s business logistics network (Level 4).
• Engineering Solution 2: Virtual Patching & Unidirectional Gateways. For unpatchable EOL systems, security must be externalized. This involves deploying Intrusion Prevention Systems (IPS) in front of the vulnerable OT asset to filter malicious traffic, a process known as “virtual patching.” For critical-to-life systems, hardware-based unidirectional gateways (data diodes) can be engineered to ensure that data (e.g., operational metrics) can only flow out of the OT network, making remote compromise physically impossible.

5.5. Addressing Supply Chain Hardware Vulnerabilities (ZPMC Cranes)

The presence of ZPMC cranes in many U.S. ports has been cited as a potential hardware supply chain risk. This discussion is based on public advisories, as empirical evidence of embedded backdoors or active exploits is not publicly available. While no active hardware backdoors have been confirmed, ZPMC cranes present a critical supply chain risk due to their use of legacy protocols (SMBv1, Windows XP) and documented weak network segmentation. This creates a high-risk attack surface for state actors, shifting the focus from speculative backdoors to confirmed, critical vulnerabilities.

• Engineering Solution: “zero-trust” architecture must be applied to the hardware itself.

This involves rigorous physical and logical inspection of components. Furthermore, all network communications from this equipment must be routed through deep-packet inspection firewalls that baseline “normal” behavior and alert on or block any anomalous communication, such as an attempted connection to an unknown external C2 server.

5.6. Interpreting IMO Resolution MSC.428(98)

Adherence to IMO Resolution MSC.428(98) is recommended, but the resolution is goal-based, not prescriptive. From an engineering perspective, this requires operators to identify all critical OT assets (e.g., VTMS, cargo handling systems), map their data flows, and apply specific technical controls from frameworks like NIST SP 800-82 (“Guide to Industrial Control Systems Security”) to protect them.

5.7. OSINT Integration (MCAD)

MCAD’s OSINT strengths aid in “threat hunting” but unreported due to disclosure delays. Integrating MCAD data feeds with internal Security Information and Event Management (SIEM) systems allows security teams to correlate their own network logs with global incident patterns (e.g., Volt Typhoon’s TTPs), identifying intrusions that would otherwise be missed. The timeline (Figure 13) reveals peak activity in 2023–2024, correlating with geopolitical escalations.

6. Conclusions

The maritime cyber landscape in 2025 reflects a convergence of state-sponsored APTs, frequent ransomware exploiting weak cybersecurity practices, and disruptive hacktivist activity. This study introduces a validated quantitative risk assessment model, enabling forward-looking, prioritized evaluation of maritime threats beyond mere incident aggregation. Our analysis identifies OT compromise as the most critical threat, with ports in strategic geopolitical zones Poland, Taiwan, and the Panama Canal at highest risk.

Maritime cybersecurity can no longer rely on obscurity. Engineering-grade measures, including network segmentation, zero-trust hardware monitoring, and integration of OSINT into SIEM platforms, are essential. Translating frameworks such as IMO Resolution MSC.428(98) into concrete controls fosters resilient, adaptive defenses. Safeguarding global trade demands a holistic approach, combining technical solutions, human-centric measures, stakeholder collaboration, and harmonized regulatory initiatives.