All hands on deck: Attackers have entered the maritime industry (2/4)

Knowing your adversaries and knowing yourself is vital to becoming victorious. In the previous part of the series, we looked into some of the challenges that lie ahead for innovative companies in the maritime industry and how they relate to cybersecurity. In this second part, we will dive into who the main threats are and why they are deploying their offensive cyber capabilities, with this in this part China and Russia.

Just as in agriculture (see the Hunt & Hackett series of blogs on agriculture), the usual suspects of offensive cyber-operations, being China, Russia, Iran and North Korea are very active in maritime- and related industries. There are a few notable differences though. Turkey and the United States are showing quite some interest in maritime and related industries, and Lebanon and Syria are also among the nations who are actively eagerly deploying APTs. In figure 1 it is shown which countries are the most active. Data collected by Hunt & Hackett shows that espionage and information theft are by a far the main objectives of the attacking APTs. What motivations lie behind these attacks? Hunt & Hackett has conducted an analysis on the most active nations. In this blogpost, the motives of China and Russia are discussed.

APT origin countries

Figure 1 - Origin countries of APTs active in maritime- and related industries as observed by Hunt & Hackett.




When looking at the data, China is by far the worst offender and a threat to any innovating company in the maritime industry. A total of 67 APTs (now and in the past) operate from Chinese soil to obtain maritime secrets from companies and governments all over the world. This is no surprise, given the combination of three factors: (1) the inclusion of the maritime industry as a priority sector in China’s ‘Made in China 2025’ strategy, (2) China’s multipronged approach to obtain western technologies and innovations, which includes the use of illicit methods, and (3) China’s vast offensive cyber-capabilities.


“The most interest in our top industries is from China. [Through licit actions,] but also through illicit operations, that is by hacking. In particular directed at companies with high-tech knowledge. There’s a lot of interest in this ‘unique knowledge’. It just gets stolen.”

- Erik Akerboom, head of the General Intelligence and Security Service (AIVD) of the Netherlands (29-07-2021, EenVandaag)


Made in China 2025 is a strategy made to ensure China’s future place as world hegemony and the establishment of the most advanced and competitive economy in the world. The focus of the strategy is on high-tech manufacturing technologies. Maritime vessels and marine engineering equipment are specifically named in the strategy as key technologies. China also has a plan to obtain the technologies they desire. As shown in figure 2, the Chinese government has a multifaced system in place to acquire foreign technologies, a blend of licit and illicit methods of acquisition. Licit are the partnerships, mergers and joint ventures, but these often won’t get them to the most sensitive business information and most protected technologies. This is why they use the extensive capabilities of their intelligence apparatus. Through illicit ways, the Chinese government wants to get its hands on key technologies without going through lengthy and expensive R&D projects. China has a very large and capable cyber-force which is known to conduct espionage all over the world, often leading to frustrated Western countries who are struggling with a response China for its hostile acts because the intertangled relations and logistical and economic dependencies. Further complicating this issue is that involvement in cyber-attacks can often be easily denied.

The multipronged approach of Chinese foreign technology acquisition efforts

Figure 2 – The multipronged approach of Chinese foreign technology acquisition efforts. Note the inclusion of the intelligence services in their approach.

To deal with the Chinese cyber-threat, it is important to understand how their APTs operate so their attacks can be countered. This is the reason Hunt & Hackett has tracked the Tactics, Techniques and Procedures (TTPs) and Tools that they have deployed in their attacks. Of the in total 249 APTs that have shown activity in maritime or related industries, 67 are attributed to China. In their efforts, they are currently using 650 TTPs and 675 Tools.

  Key stats on China: Maritime and Related Industries
APTs 67
APT Names APT1, APT10, APT12, APT14, APT15, APT16, APT17, APT18, APT19, APT2, APT20, APT21, APT22, APT23, APT26, APT27, APT3, APT31, APT4, APT40, APT41, APT5, AVIVORE, Blackgear, BlackTech, Blue Termite, Etc.
Level of Sophistication High
Main Motives Espionage; Information Theft
TTPs 650
Tools 675

Table 1 - Key statistics on APTs originating from China, and the TTPs and Tools they use in the maritime and related industries as observed by Hunt & Hackett.



Only second to China, Russia is one of the most active nations when it comes to offensive cyber-operations in maritime and related industries. Russia’s cyber-force belongs to the absolute world top with a level of sophistication few countries can match. The Kremlin has not been reluctant to deploy its capable hacker groups to influence foreign decision-making, to destroy computer systems and to achieve economic gain. The maritime industry forms no exception: 27 Russian APTs have been observed to be active here with the purposes of espionage, information theft and financial gain.


Russia's main strategic goals relate to protecting its territory, maintaining its sovereignty, exploiting mineral and energy resources and improving quality of scientific research. The surrounding seas are of great importance to Russia because they hold a broad range of economic, political and military interests for the former Soviet nation. However, the merchant and military fleet of the Russians are outdated and are in need of modernization. Over the past few years, several maritime doctrines and strategy documents have been released in which Russia’s ambitions to modernize its maritime industry have been outlined. In 2019 the NATO Defense College assessed that Russia’s domestic capabilities are insufficient to successfully overcome their maritime modernization challenges1.


Luckily for Russia, they have other means to close the gap in their know-how and technologies. Nation-state sponsored APTs are often being used to infiltrate innovative maritime companies in order to extract intellectual property, documented know-how and technologies. Erik Akerboom, head of the general intelligence and security service of the Netherlands, said in an interview that Russia has been formerly known to be hunting for political information, but is now shifting their focus to acquiring Western technologies through cyber-operations2.


Hunt & Hackett is aware of the Russian threat and applies the method of Threat Modelling to counter it. When threat modelling it is vital to fully understand your adversary and its intentions. This is why Hunt & Hackett tracks down APTs and the tactics and tools they use. At this moment, Hunt & Hackett is aware of 27 Russian APTs that are or have been active in maritime and related industries. These 27 APTs have used 523 TTPs and 339 Tools in their efforts to conduct espionage, steal information or for financial gain.


  Key stats on Russia: Maritime and Related Industries
APTs 27
APT Names APT28, APT29, APT-C-34, Avalanche, Dungeon Spider, ELECTRUM, Gamaredon Group, Inception Framework, MONTY SPIDER, Operation BugDrop, Operation Domino, Operation Ghostwriter, Operation Windigo, Red October, RTM, Salty Spider, TeamSpy Crew, TEMP.Veles, Turla Group, UNC1878, UNC2452, White Bear, etc.
Level of Sophistication High
Main Motives Espionage; Information Theft; Financial Gain
TTPs 523
Tools 339

Table 2 - Key statistics on APTs originating from Russia, and the TTPs and Tools they use in the maritime and related industries as observed by Hunt & Hackett.

The case of Turkey and the United States

Noteworthy are Turkey and the United States that appear high on the list of attacking nations in maritime and related industries. This is an anomaly compared to the threat landscape of other sectors such as agriculture, chemicals or energy. They appear in the list for a different reason than that of the other nations. Turkey has offensive cyber-capabilities but generally utilizes this capability to spy on other governments and dissidents. Why they appear high on the list is because they hack companies in the technology industry, an industry which Hunt & Hackett has identified as related to the maritime industry, to get access to the targets of their cyber-attacks. Evidence or explicit strategic motives lacks to be able to claim that they try to steal corporate secrets. For the US this appears to be the same case. They use technology companies to gain access to its initial targets, often governments. An example of this is the Belgacom hack, which the US conducted along with the UK, to spy on European political leaders.

This post dealt with two of the most active nations in attacking the maritime industry with their APTs: China and Russia. The next post will deal with two other nations that have shown significant cyber-hostilities in maritime industries: Iran and North Korea.




Keep me informed

Sign up for the newsletter