Maritime Cybersecurity Alliance
Report an Incident
Follow on
Back to News

5 Maritime Cyber Attacks That Changed the Industry

admin
Published on February 19, 2026
Uncategorized
Share on

5 Maritime Cyber Attacks That Changed the Industry

The maritime industry’s cybersecurity awakening did not come from a whitepaper or a regulatory mandate. It came from real attacks – devastating, costly, and in some cases, physically dangerous incidents that exposed the fragility of digital infrastructure underpinning global trade. These five events transformed how ports, shipping lines, and terminal operators think about cyber risk.

1. Maersk and NotPetya (June 2017) – The $300 Million Wake-Up Call 💀🚨

On June 27, 2017, the NotPetya malware swept across global networks, and no organization felt the impact more acutely than A.P. Moller-Maersk, the world’s largest container shipping company. Within hours, the attack rendered nearly all of Maersk’s IT systems inoperable. Across 76 port terminals operated by APM Terminals, screens went dark, booking systems froze, and container tracking became impossible.

The damage was staggering. Maersk estimated total losses at approximately $300 million. The company rebuilt its entire IT infrastructure – 45,000 PCs, 4,000 servers, and 2,500 applications – in just ten days, an effort their CISO later described as “a complete infrastructure rebuild at wartime speed.”

What changed. NotPetya proved that a cyber attack could paralyze a major segment of global shipping. It demonstrated that maritime companies were not peripheral targets but high-value victims whose disruption had cascading economic consequences. The incident directly motivated the IMO to adopt Resolution MSC.428(98), requiring cyber risk management in safety management systems by January 2021. It also catalyzed the first wave of serious cybersecurity investment across the maritime sector.

Lesson for ports: Supply chain interconnection means that a malware outbreak originating outside the maritime sector can still devastate port operations. Network segmentation and offline backup capabilities are non-negotiable.

2. Port of San Diego (September 2018) – Ransomware Hits a U.S. Port 💀🚨

In September 2018, the Port of San Diego disclosed that a ransomware attack had disrupted its administrative IT systems. While the port’s core maritime operations – cargo handling, vessel scheduling – continued functioning, the attack impacted internal communications, permitting systems, and public-facing services for weeks.

The significance. This was one of the first publicly acknowledged ransomware attacks on a U.S. port authority. Occurring just days after a similar attack on the Port of Barcelona, it signaled that port authorities were firmly in the crosshairs of ransomware operators.

What changed. The San Diego incident highlighted the gap between IT and OT security at port authorities. While operational technology kept running, the administrative disruption demonstrated that ports had not adequately planned for scenarios where business systems were compromised. It accelerated the U.S. Coast Guard’s focus on cybersecurity within Maritime Transportation Security Act (MTSA) facility security plans and prompted CISA to increase engagement with the maritime sector.

Lesson for ports: Even if OT systems survive an attack, disrupted IT systems can cripple port operations through indirect effects on billing, customs processing, and stakeholder communication.

3. Shahid Rajaee Port, Iran (May 2020) – A Cyber Attack with Geopolitical Dimensions 💀🚨

In May 2020, the Shahid Rajaee port in Bandar Abbas, Iran, suffered a cyber attack widely attributed to an Israeli operation. The attack targeted the port’s traffic management systems, causing massive congestion as trucks and vessels backed up for days. Satellite imagery confirmed the disruption, showing queues of container trucks stretching for miles.

The significance. This incident was notable for being an apparent state-sponsored cyber attack specifically targeting port infrastructure as an instrument of geopolitical conflict. It demonstrated that ports are not just targets for financially motivated criminals but also for nation-state actors pursuing strategic objectives.

What changed. The Shahid Rajaee attack forced the global port community to confront the reality of state-sponsored threats against maritime infrastructure. It underscored that port cybersecurity is a matter of national security, not just commercial risk. Intelligence agencies and military cyber commands in multiple countries increased their focus on port infrastructure protection in the aftermath.

Lesson for ports: Threat modeling must include nation-state actors. Ports in geopolitically sensitive regions face elevated risk and need defense capabilities that account for sophisticated, well-resourced adversaries.

4. DP World Australia (November 2023) – When a Major Operator Goes Offline 💀🚨

In November 2023, DP World Australia – which handles approximately 40% of Australia’s container trade – detected unauthorized access to its network and responded by disconnecting its systems from the internet. This containment decision, while prudent from a security standpoint, halted container movement across terminals in Sydney, Melbourne, Brisbane, and Fremantle for three days.

The scale was enormous. Approximately 30,000 containers were stranded during the outage. The Australian government activated its National Coordination Mechanism, involving the Australian Federal Police, Australian Signals Directorate, and the National Cyber Security Coordinator.

What changed. The DP World incident demonstrated that cybersecurity incidents at a single operator can have economy-wide impact when that operator controls a significant share of national port capacity. It prompted the Australian government to announce strengthened cybersecurity requirements for critical infrastructure operators and renewed debate about concentration risk in port operations.

Lesson for ports: Incident response plans must account for the full economic impact of containment decisions. The decision to disconnect systems to stop an attacker can itself cause massive operational disruption. Pre-planned, rehearsed procedures for graceful degradation are essential.

5. MSC (April 2020) – Even the Largest Are Vulnerable 💀🚨

In April 2020, Mediterranean Shipping Company (MSC), the world’s second-largest container shipping line, suffered a malware attack that brought down its main data center in Geneva for five days. The company’s website, customer portal, and booking systems were all offline during the incident. MSC described the attack as the result of “an engineered targeted vulnerability” exploiting a previously unknown weakness.

The significance. Coming just three years after the Maersk/NotPetya disaster, the MSC attack demonstrated that even the largest maritime companies with the resources and motivation to invest in cybersecurity remained vulnerable. It dispelled any notion that the industry had solved the problem after NotPetya.

What changed. The MSC incident reinforced the message that cybersecurity is not a one-time investment but an ongoing operational discipline. It prompted shipping lines to accelerate adoption of redundant systems, geographically distributed infrastructure, and improved business continuity planning. It also highlighted the importance of transparent communication during incidents – MSC’s relatively open disclosure was noted positively by the industry.

Lesson for ports: No organization is too large or too well-resourced to be compromised. Resilience – the ability to continue operating and recover quickly – is as important as prevention.

The Common Thread 📖

Across all five incidents, a consistent pattern emerges: isolation amplifies vulnerability. Each organization faced its attack alone, discovered the threat through its own detection capabilities (or lack thereof), and managed the response with its own resources. For in-depth technical analysis of incidents like these, explore the PCA case studies library. In every case, earlier intelligence sharing could have accelerated detection. In every case, shared playbooks and coordinated response protocols could have reduced the impact. Today, PCA’s IOC Database ensures that indicators from any member-reported incident are distributed across the network within minutes, and our best practices library provides the proven response playbooks that were missing in each of these events.

These five attacks are the reason the Port Cyber Alliance exists. The next major maritime cyber incident is not a question of “if” but “when.” The question is whether the industry will face it together or alone. If your port experiences a cyber event, PCA is ready to help – learn how through our incident reporting process.

Join the collective defense: portcyberalliance.org/membership

Tags:
case studiesmaritime cyber attacksNotPetyaport securityransomware
admin
admin
 portcyberalliance.org
Leave a Reply

Your email address will not be published.Required fields are marked *

Related Posts

Check All Posts
Uncategorized
Why Every Port Needs a Cybersecurity Alliance
 February 19, 2026
Uncategorized
STIX/TAXII: The Language Your Port Needs to Speak
 February 19, 2026
Uncategorized
Founding Member Program: 500% ROI on Port Security
 February 19, 2026
Give us a call

Available from 9am to 8pm, Monday to Friday.

+1 800 625 412
Send us a message

Send your message any time you want.

+1 800 625 412
Our usual reply time: 1 Business day
cookie By using this website, you agree to our cookie policy Close