In 2017, Maersk, the world’s largest shipping company, fell victim to the **NotPetya cyberattack**, a destructive malware campaign attributed to Russian military hackers. The attack originated from a compromised update in Ukrainian accounting software, rapidly spreading across Maersk’s global network. The incident forced the **shutdown of 76 port terminals**, disrupted **over 45,000 PCs and 4,000 servers**, and paralyzed critical operations, including cargo tracking, booking systems, and communication channels.The financial and operational impact was severe, with Maersk estimating losses between **$250–$300 million** due to halted shipments, delayed deliveries, and recovery efforts. The attack exposed deep vulnerabilities in the company’s IT infrastructure, particularly its reliance on interconnected systems without adequate segmentation. While Maersk managed to restore operations within weeks by reinstalling entire systems from backups, the incident highlighted the maritime sector’s susceptibility to **state-sponsored cyber warfare** and the cascading effects of a single breach on global trade.The attack also triggered industry-wide alarm, prompting Maersk and other shipping giants to invest heavily in cybersecurity upgrades, including network isolation, endpoint protection, and employee training to mitigate future threats.
Source: https://www.helpnetsecurity.com/2025/08/28/maritime-industry-cybersecurity-threats/
TPRM report: https://www.rankiteo.com/company/maersk-group
"id": "mae508082925",
"linkid": "maersk-group",
"type": "Cyber Attack",
"date": "6/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Global supply chain partners',
'industry': 'Maritime/Logistics',
'location': 'Global (HQ: Denmark)',
'name': 'Maersk',
'size': 'Large (World’s largest shipping company)',
'type': 'Shipping Company'},
{'industry': 'Maritime/Logistics',
'location': 'Croatia',
'name': 'Port of Rijeka',
'size': 'Medium',
'type': 'Port Authority'},
{'customers_affected': 'Yes '
'(financial/employee/customer '
'data)',
'industry': 'Maritime/Retail',
'location': 'USA',
'name': 'MarineMax',
'size': 'Large',
'type': 'Boat Retailer'},
{'industry': 'Oil/Gas Maritime',
'location': 'Iran/Global',
'name': 'Iranian Oil Tankers (60+ vessels)',
'size': 'Large',
'type': 'Shipping Fleet'},
{'industry': 'Maritime',
'location': 'Baltimore, USA (incident location)',
'name': 'MV Dali',
'size': 'Medium',
'type': 'Cargo Ship'},
{'industry': 'Transportation',
'location': 'Baltimore, USA',
'name': 'Francis Scott Key Bridge',
'type': 'Infrastructure'}],
'attack_vector': ['Compromised Software Updates (NotPetya via Ukrainian '
'accounting software)',
'Phishing/Social Engineering',
'Outdated/Poorly Maintained Systems',
'Third-Party Vendor Vulnerabilities',
'GNSS Jamming/Spoofing (Russia, Iran, China)',
'AI-Assisted Exploits (e.g., subverting AI assistants)',
'Manual Override of Digital Systems (human error)'],
'customer_advisories': ['Maersk: Notified partners of NotPetya impact (2017).',
'MarineMax: Advised customers on data breach risks '
'(2024).',
'Port of Rijeka: Likely notified stakeholders of '
'ransomware attack (2024).'],
'data_breach': {'data_encryption': ['Ransomware Encryption (NotPetya, 8Base)'],
'data_exfiltration': ['Port of Rijeka (8Base claimed theft)',
'MarineMax (online exposure)',
'Potential in NotPetya (Maersk)'],
'file_types_exposed': ['Invoices',
'Receipts',
'Employment Contracts',
'Accounting Records',
'Navigation Logs (GNSS Data)'],
'personally_identifiable_information': ['Employee/Customer '
'Data (MarineMax, '
'Port of Rijeka)'],
'sensitivity_of_data': 'High (financial, PII, operational)',
'type_of_data_compromised': ['Financial Records',
'Employee Data',
'Customer Data',
'Shipping Routes/Cargo Data',
'Personal Data (Contracts, '
'Invoices)',
'Accounting Records']},
'description': 'The maritime sector, including ships, ports, and terminals, '
'faces escalating cyber threats due to modernization, '
'geopolitical tensions, and the adoption of AI. Incidents '
"range from ransomware attacks (e.g., Maersk's NotPetya in "
'2017) to GNSS jamming/spoofing and AI-powered attacks. '
'Vulnerabilities stem from outdated systems, supply chain '
'risks, lack of in-house expertise (only 17% of shipyards have '
'cybersecurity capabilities), and fragmented cybersecurity '
'governance across public/private actors. High-profile cases '
'include the MV Dali power loss (2024, no confirmed '
'cyberattack but raised concerns), the Port of Rijeka '
'ransomware attack by 8Base, and Lab-Dookhtegan’s disruption '
'of 60+ Iranian oil tankers. Regulatory responses include the '
'U.S. Coast Guard’s 2025 rule, EU’s NIS2 Directive, and IMO’s '
'updated ISM Code guidelines.',
'impact': {'brand_reputation_impact': ['Maersk (NotPetya)',
'MarineMax (Customer/Employee Data '
'Exposure)',
'Port of Rijeka (Confidential Data '
'Theft)'],
'customer_complaints': ['Likely for MarineMax (data breach)',
'Potential for Maersk/Port of Rijeka '
'(service disruptions)'],
'data_compromised': ['Financial Records (Maersk, MarineMax, Port '
'of Rijeka)',
'Employee/Customer Data (MarineMax)',
'Shipping Routes/Cargo Data (Ports)',
'Personal Data (Port of Rijeka: invoices, '
'contracts, accounting records)',
'Navigation/Logistics Data (GNSS Spoofing)'],
'downtime': ['Maersk: Weeks (NotPetya)',
'Port of Rijeka: Unspecified (8Base Attack)',
'Iranian Tankers: Communications Disabled '
'(Lab-Dookhtegan)'],
'financial_loss': ['Maersk: $300M (NotPetya, 2017)',
'Unspecified losses for MarineMax, Port of '
'Rijeka, and other targets'],
'identity_theft_risk': ['Employee/Customer Data (MarineMax, Port '
'of Rijeka)'],
'legal_liabilities': ['Potential GDPR Violations (EU Ports)',
'U.S. Coast Guard Reporting Requirements '
'(2025 Rule)',
'IMO ISM Code Non-Compliance Risks'],
'operational_impact': ['Collapse of Francis Scott Key Bridge (MV '
'Dali, indirect)',
'Disruption of 80% Global Trade (Port '
'Targeting)',
'Manual Overrides Required (Digital System '
'Failures)',
'Supply Chain Delays (Ransomware/OT '
'Attacks)'],
'payment_information_risk': ['Financial Records (Maersk, '
'MarineMax, Port of Rijeka)'],
'revenue_loss': ['Maersk: $300M (2017)',
'Potential losses for Port of Rijeka, MarineMax, '
'and other entities'],
'systems_affected': ['76 Port Terminals (Maersk, 2017)',
'45,000+ PCs and 4,000 Servers (Maersk)',
'Accounting Systems (MarineMax)',
'Communications (60+ Iranian Oil Tankers)',
'GNSS Navigation (Jamming/Spoofing)',
'OT Systems (MV Dali power loss)']},
'initial_access_broker': {'backdoors_established': ['Potential in NotPetya '
'(lateral movement)',
'Possible in 8Base/Port '
'of Rijeka attack'],
'data_sold_on_dark_web': ['Potential for Port of '
'Rijeka data (8Base)'],
'entry_point': ['Compromised Software Update '
'(NotPetya via Ukrainian accounting '
'software)',
'Phishing/Social Engineering '
'(MarineMax, Port of Rijeka)',
'Outdated Software (Iranian '
'Tankers)',
'Third-Party Vendor Vulnerabilities '
'(Supply Chain)'],
'high_value_targets': ['Shipping Routes/Cargo Data '
'(Ports)',
'Financial Systems (Maersk, '
'MarineMax)',
'Navigation/OT Systems (MV '
'Dali, Iranian Tankers)']},
'investigation_status': ['Maersk NotPetya: Attributed to Russian military '
'(confirmed)',
'MV Dali: No confirmed cyberattack (electrical '
'failure under investigation)',
'Port of Rijeka: Ongoing (8Base claims unverified)',
'Iranian Tankers: Lab-Dookhtegan claimed '
'responsibility (verified communications '
'disruption)'],
'lessons_learned': ['Fragmented cybersecurity governance increases risk; '
'standardized procedures are critical.',
'Supply chain visibility must extend beyond first-tier '
'vendors to mitigate third-party risks.',
'OT systems (e.g., ship navigation) require '
'air-gapping/segmentation to prevent cascading failures.',
'Workforce training is essential to counter '
'phishing/social engineering (human error = top risk).',
'AI-powered attacks demand continuous threat monitoring '
'and adaptive defenses.',
'GNSS jamming/spoofing highlights the need for redundant '
'navigation systems.',
'Regulatory compliance (NIS2, IMO, U.S. Coast Guard) is '
'evolving; proactive adaptation is necessary.'],
'motivation': ['Financial Gain (Ransomware)',
'Geopolitical Disruption (State Actors)',
'Espionage (Strategic Maritime Data)',
'Hacktivism (e.g., Lab-Dookhtegan)',
'Operational Sabotage (e.g., GNSS Interference)'],
'post_incident_analysis': {'corrective_actions': ['Maersk: Global IT '
'Infrastructure Overhaul '
'Post-NotPetya.',
'IMO: Updated ISM Code to '
'Mandate Cyber Risk '
'Assessments.',
'U.S. Coast Guard: 2025 '
'Rule for Cybersecurity '
'Officers and Incident '
'Reporting.',
'EU: NIS2 Directive '
'Enforcement for Maritime '
'Sector.',
'Ports: Increased '
'Third-Party Vendor Audits '
'(e.g., Rijeka '
'Post-Attack).',
'Shipping Companies: AI '
'Threat Monitoring and '
'Workforce Training '
'Programs.'],
'root_causes': ['Lack of Cybersecurity Expertise '
'(17% of shipyards)',
'Fragmented Governance (No Common '
'Incident Response Procedures)',
'Supply Chain Blind Spots (Limited '
'Visibility Beyond Tier 1 Vendors)',
'Outdated/Poorly Maintained '
'Systems (Iranian Tankers)',
'Insufficient OT/IT Segmentation '
'(MV Dali, Maersk)',
'Human Error (Phishing/Social '
'Engineering Success)',
'Regulatory Gaps (Pre-2025 U.S. '
'Coast Guard Rules)']},
'ransomware': {'data_encryption': ['NotPetya (Maersk)',
'8Base (Port of Rijeka)'],
'data_exfiltration': ['8Base (Port of Rijeka: claimed theft)'],
'ransom_demanded': ['8Base (Port of Rijeka: unspecified)',
'NotPetya (Maersk: no ransom demanded, '
'wiper malware)'],
'ransom_paid': ['Maersk: None (NotPetya was wiper malware)',
'Port of Rijeka: Unspecified'],
'ransomware_strain': ['NotPetya (2017)', '8Base (2024)']},
'recommendations': ['Implement **network segmentation** to isolate OT/IT '
'systems (e.g., ship navigation vs. accounting).',
'Conduct **continuous risk assessments** for AI-driven '
'and supply chain threats.',
'Establish **cross-sector collaboration** (public/private '
'info-sharing on threats).',
'Mandate **cybersecurity training** for all staff, '
'including manual override procedures.',
'Adopt **IMO ISM Code updates** and align with NIS2/U.S. '
'Coast Guard requirements.',
'Deploy **GNSS backup systems** (e.g., inertial '
'navigation) to counter jamming/spoofing.',
'Invest in **third-party vendor audits** to map supply '
'chain risks beyond Tier 1.',
'Develop **incident response playbooks** for ransomware, '
'OT failures, and data breaches.',
'Leverage **AI for threat detection** while securing AI '
'systems against adversarial attacks.',
'Appoint **dedicated Cybersecurity Officers** (per U.S. '
'Coast Guard 2025 rule).'],
'references': [{'source': 'NATO Cooperative Cyber Defence Centre of '
'Excellence (CCDCOE)',
'url': 'https://ccdcoe.org/'},
{'source': 'Marlink’s 2024 Maritime Cyber Threat Report'},
{'source': 'U.S. Coast Guard 2025 Cybersecurity Rule',
'url': 'https://www.uscg.mil/'},
{'source': 'EU NIS2 Directive',
'url': 'https://digital-strategy.ec.europa.eu/en/policies/nis2-directive'},
{'source': 'IMO ISM Code (MSC.428(98))',
'url': 'https://www.imo.org/'},
{'source': 'Maersk NotPetya Post-Incident Report'},
{'source': 'Port of Rijeka 8Base Ransomware Attack (2024)'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (EU '
'Ports/Data Breaches)',
'IMO ISM Code '
'(Cybersecurity '
'Integration)',
'U.S. Coast Guard 2025 '
'Rule (Incident '
'Reporting)'],
'regulatory_notifications': ['Mandatory under NIS2 '
'(EU)',
'U.S. Coast Guard '
'National Response '
'Center (2025 Rule)',
'IMO MSC.428(98) '
'Reporting']},
'response': {'communication_strategy': ['Public Disclosures (Maersk, '
'MarineMax)',
'Stakeholder Advisories (IMO/NIS2 '
'Compliance)',
'Customer Notifications (Data '
'Breaches)'],
'containment_measures': ['Isolation of Infected Systems (Maersk)',
'Manual Overrides (OT Failures)',
'GNSS Backup Systems (Jamming '
'Mitigation)'],
'enhanced_monitoring': ['Marlink’s Threat Tracking (1,800 '
'vessels, 2024)',
'AI-Driven Anomaly Detection (Emerging)'],
'incident_response_plan_activated': ['Maersk (NotPetya: Global '
'IT Recovery)',
'Port of Rijeka '
'(Unspecified)',
'U.S. Coast Guard Mandates '
'(2025 Rule)'],
'law_enforcement_notified': ['Maersk (NotPetya attributed to '
'Russian military)',
'Potential notifications for Port '
'of Rijeka/MarineMax'],
'network_segmentation': ['Recommended (e.g., IMO Guidelines)'],
'recovery_measures': ['Maersk: 10-Day Global Recovery (NotPetya)',
'Port of Rijeka: Data Restoration (8Base)',
'Iranian Tankers: Communications '
'Reestablishment'],
'remediation_measures': ['System Rebuilds (Maersk: 45,000 '
'PCs/4,000 servers)',
'Software Patching (Outdated Systems)',
'Supply Chain Audits (Third-Party '
'Risks)'],
'third_party_assistance': ['Cybersecurity Firms (e.g., Maersk’s '
'recovery)',
'Government Agencies (e.g., NATO '
'CCDCOE warnings)']},
'stakeholder_advisories': ['IMO: Urges cyber risk assessments and ISM Code '
'integration.',
'NATO CCDCOE: Warns of state-sponsored threats to '
'port infrastructure.',
'U.S. Coast Guard: Mandates Cybersecurity Officers '
'and incident reporting by 2025.',
'EU: NIS2 Directive requires maritime operators to '
'report incidents and secure supply chains.'],
'threat_actor': [{'motivation': 'Geopolitical Disruption',
'name': 'Russian Military (NotPetya)',
'type': 'State-Sponsored'},
{'motivation': 'Extortion',
'name': '8Base Ransomware Group',
'type': 'Financially Motivated'},
{'motivation': 'Disruption (targeted Iranian maritime '
'sector)',
'name': 'Lab-Dookhtegan',
'type': 'Hacktivist/State-Aligned'},
{'motivation': 'GNSS Jamming/Spoofing for Strategic '
'Advantage',
'name': 'Unspecified State Actors (Russia, Iran, China)',
'type': 'State-Sponsored'},
{'motivation': 'Ransomware/Data Theft',
'name': 'Financially Motivated Hackers',
'type': 'Cybercriminal'}],
'title': 'Maritime Cybersecurity Threats and Incidents (2017–2024)',
'type': ['Ransomware',
'Cyber Espionage',
'GNSS Jamming/Spoofing',
'AI-Powered Attacks',
'Supply Chain Compromise',
'Operational Technology (OT) Disruption'],
'vulnerability_exploited': ['Lack of In-House Cybersecurity Expertise (17% of '
'shipyards)',
'Fragmented Cybersecurity Governance (no common '
'procedures)',
'Limited Supply Chain Visibility (beyond '
'first-tier vendors)',
'Outdated Software (e.g., Iranian oil tankers)',
'Poorly Secured OT Systems (e.g., MV Dali '
'electrical blackout)',
'Absence of Standardized Risk Assessments',
'Insufficient Workforce Training (phishing/social '
'engineering)']}