Spy ships, cyber-attacks and shadow fleets: the crack security team braced for trouble at sea. As international tensions mount and hackers grow more sophisticated and audacious, the Nordic Maritime Cyber Resilience Centre is constantly monitoring the global threat of war, terror and piracy
Miranda Bryant in OsloWed 18 Jun 2025 07.00 BSTShare
Ships being taken over remotely by hackers and made to crash is a scenario made in Hollywood. But in a security operations room in Oslo, just a few metres from the sparkling fjord and its tourist boats, floating saunas and plucky bathers, maritime cyber experts say not only is it technically possible, but they are poised for it to happen.
“We are pretty sure that it will happen sooner or later, so that is what we are looking for,” says Øystein Brekke-Sanderud, a senior analyst at the Nordic Maritime Cyber Resilience Centre (Norma Cyber). On the wall behind him is a live map of the ships they monitor and screens full of graphs and code. Two little rubber ducks watch over proceedings from above.
In an unstable world, shipping, ports and terminals are taking on enormous strategic importance as targets for destabilising infrastructure and espionage. This is particularly relevant in the Nordic countries, which share land and sea borders with Russia.
Finland and Sweden are now Nato members and all countries are beefing up their defence capabilities amid hybrid attacks and rising fear of war. “These systems [on ships] are very complex and it is hard to understand how to operate them. But with AI you can just keep asking questions: ‘How does this component work?’, ‘Can you go through this 300-page manual and find me the password?’ So everything goes fast,” says Brekke-Sanderud.
Based in the headquarters of the Norwegian Shipowners’ Association on the quayside of the Norwegian capital, Norma Cyber works alongside it and the Norwegian Shipowners’ Mutual War Risks Insurance Association (DNK).
The three organisations came together two years ago to set up a shipping security and resilience centre to monitor the global threat of war, terror and piracy – physical and digital. They also carry out work on behalf of the Norwegian government.
While remotely crashing a vessel is technically possible, hackers hoping to cause chaos need not go to such dramatic lengths. Simply making something on a ship stop working could lead to a blackout on a vessel or systems malfunctioning, says Lars Benjamin Vold, Norma Cyber’s managing director.
And there is mounting evidence that states are looking to harness these powers against their adversaries at sea.
Iran is already understood to have researched how to use cyber-attacks to disrupt ballast systems – which pump water into vessels to ensure stability – to affect ships and satellite systems. And April saw an unprecedented hack that allegedly took out 116 Iranian Vsat modems – used in satellite communication by ships – simultaneously.
“When you talk about nation states, it is about their will to do something,” says Vold. While potential “threat actors” such as Russia and China have extensive capabilities, these also have to align with their mission, which could change at any time.
So while the threat level has been relatively consistent, maritime vulnerabilities are on the rise. “Things are digitalising more and more, so there are more potential ways in,” says Vold.
Norma Cyber has also reported civilian vessels such as fishing boats, research ships and cargo vessels being used for espionage in the Baltic, north Atlantic and the Arctic. USB devices have also been used to infiltrate maritime systems, including by a China-linked threat actor called Mustang Panda.
Last year, Norma Cyber noted 239 disruptive cyber-attacks on the maritime sector, with the pro-Russian group NoName057(16) behind most of them.
Perhaps counterintuitively, the increased reliance on digitalisation ends up putting more demand on old-fashioned navigational skills. When crews come up against jamming of satellite navigation systems in the Baltic – Finland has accused Russia of being behind such disruptions – they are left with little option but to navigate without it. “Good seamanship is the best mitigation measure,” says Vold.
But as well as the invisible threats of the digital world, the maritime industry is also facing unprecedented physical problems. Vladimir Putin’s growing shadow fleet of hundreds of unregulated vessels carrying sanctioned crude oil from Russia to predominantly China and India poses a growing threat to the environment and the global shipping infrastructure.
The shadow fleet is made up of ageing oil tankers, the identities of which are hidden to help circumvent western economic sanctions imposed on Moscow. Estimates of their number range from 600 to 900 vessels, according to some sources.
Threats to ships can also come from within. Engines, elevators and water purification systems are all potential targets on board. And with 15% of crew members internationally either Ukrainian or Russian, the composition of crews on ships has taken on new significance since Russia’s full-scale invasion of Ukraine.
“If you have a Russian captain on a ship carrying aid to Ukraine, those don’t mix that well, right?” says Svein Ringbakken, managing director of DNK. “So those are sensitives that are being addressed in the industry.”
