In 2024, the maritime industry experienced a sharp rise in cyber threats, within a context that is becoming more digitalised while still suffering from critical vulnerabilities. This is the picture painted by the Global Maritime Cyber Threat Report for the second half of the year, compiled by Marlink. The analysis, based on more than 30 billion network events recorded in the period, reveals a landscape in which cyberattacks are not only growing in frequency but are also becoming faster, more targeted and more complex.
A defining feature of this phase is the increasingly entrepreneurial nature of cybercrime. Criminal actors now operate with corporate-style structures, making extensive use of services such as ransomware-as-a-service, access brokers, and legitimate tools misused for malicious purposes, such as PowerShell and AnyDesk. This model reduces reliance on traditional malware and makes detection more difficult. Compounding the challenge is the growing use of generative artificial intelligence, deployed to craft more convincing phishing attacks, accelerate the development of malicious code and automate large portions of attack sequences.
In many cases, the time needed for attackers to move from initial access to full system compromise has dropped below an hour, with some incidents occurring in under a minute. What is perhaps most surprising is that the most commonly used method is not zero-day attacks or advanced exploits, but the use of valid credentials, often obtained through phishing or theft. The breach then occurs via open remote access channels such as VPN and RDP, and by executing native operating system commands, effectively bypassing traditional antivirus defences.
The sample observed by Marlink includes nearly two thousand vessels, over twenty-two thousand protected endpoints and around ten thousand email accounts. Despite widespread adoption of security tools, the data reveals a worrying prevalence of risky practices. More than three million malware incidents were detected, with a notable presence of pirated software and illegal activators, which not only jeopardise operational stability but also open the door to targeted attacks. The presence of stealthy botnets such as Torpig, Mozi and Mirai demonstrates the ability of attackers to maintain latent control over ships, potentially using them as platforms to launch external attacks.
Email remains one of the main vectors for threats. Out of more than five million messages analysed, around nine hundred thousand were blocked for spam, phishing or spoofing. Particularly insidious is traffic from third-party vendors who fail to implement basic protective measures, such as Dmarc, SPF and DKIM protocols, underscoring the ongoing vulnerability of the maritime supply chain in terms of cybersecurity.
There are also growing signs of involvement by state-backed actors, including well-known groups such as APT33, APT41, Lazarus and APT28, often linked to geopolitical interests. Alongside them operate criminal gangs such as LockBit, Play, Akira and Rhysida, which employ multi-layered extortion tactics, combining data encryption, information theft and reputational threats. Particularly concerning is the resurgence of Remcos, a remote control malware capable of bypassing even multi-factor authentication and ensuring prolonged access to onboard systems.
The most exploited vulnerabilities during the semester are largely well-known and documented, such as those affecting Microsoft Outlook, Citrix NetScaler and Apache Log4j2. Their persistence highlights the difficulty organisations face in keeping their systems updated, especially when operating in isolated environments like ships. Even legitimate tools such as WinSCP, ScreenConnect and Metasploit are frequently abused to carry out invisible offensive operations.
Looking ahead, Marlink forecasts that in 2025 threats will become even more automated and increasingly AI-driven. Attacks are expected to expand further into OT and IoT systems, with possible repercussions on the physical safety of vessels. Cybercrime will make growing use of ransomware-as-a-service and advanced extortion techniques, while campaigns based on deepfakes and supply chain attacks—particularly targeting software and cloud services—are likely to multiply.
Against this backdrop, Marlink’s recommendations focus on systematically strengthening defensive postures. It is essential to align with international standards such as IMO 2021 and NIS2, to segment onboard IT and OT networks, to implement strong authentication and credential management solutions, to ensure continuous monitoring even under limited connectivity conditions, and to establish a secure patching cycle tailored to the maritime environment. Equally important is serious investment in crew training, so that awareness and incident readiness become integral parts of onboard culture.
The year 2024 has shown that maritime transport has entered a new era of cyber risk exposure. The good news is that many of the vulnerabilities observed can still be addressed through concrete and relatively straightforward interventions. The year 2025 could prove a turning point: on one side, attackers will become faster, smarter and more elusive; on the other, organisations that recognise the urgency of change could turn cybersecurity into a competitive advantage, reinforcing the resilience not just of individual fleets, but of the entire maritime economy.
