DIGITAL LIFE

Ferry crew member faces charges in malware incident that shakes maritime cybersecurity

French authorities have launched a high-stakes investigation into possible foreign interference following the discovery of sophisticated malware aboard the Italian passenger ferry the Fantastic, which could have allowed remote users to take control of the ship systems and controls.

When the ship was docked recently in the port of Sète, Italian and French authorities plus maritime security services became aware of a Remote Access Trojan (RAT) embedded within the ship's electronic systems. The discovery led to the immediate arrest of a Latvian and a Bulgarian (who has since been released) crew members who had recently joined the vessel.

While the Latvian detainee initially appeared to be a standard maritime employee, investigators now believe he acted as a technical proxy for a foreign power. The Paris prosecutor’s office, which handles cases of national security and cybercrime, has formally opened a probe into potential attacks on the ship's automated data-processing system carried out by an organized group working for the interests of a foreign state.

Of course, this incident also exposes the vulnerable structure of ships' (and by extension, maritime industry's) IT infrastructure and critical navigation systems. Historically, these systems were physically separated to prevent outside interference. However, modern vessels increasingly rely on integrated networks to streamline operations, allowing engine performance data, cargo manifests, and navigation charts to be updated and monitored via the same interconnected hubs. The malware found on the Fantastic could have given remote operators the ability to intercept communications, manipulate GPS coordinates, or even disable steering and propulsion during transit.

Technical experts warn that the maritime sector is becoming a primary theater for gray zone warfare, where state actors use cyber-tools to disrupt logistics and sow panic without declaring open conflict. In the case of the Fantastic, the presence of a RAT on a passenger vessel carrying 2,000 civilians might have meant something beyond corporate espionage, but potential sabotage instead. Because ferries often utilize standard PC-based operating systems for administrative tasks, a compromised laptop or a USB drive inserted into a bridge console can serve as a beachhead for a much larger takeover.

French Interior Minister Laurent Nuñez highlighted the seriousness of the situation, noting that the method of delivery, i.e. placing a physical agent on the crew to install the software, suggests a level of planning typically used by intelligence agencies. As the vessel underwent rigorous cleansing of the RAT, security protocols at French ports were immediately tightened.

Future-proofing shipbuilding for a more resilient future...In 2024, the International Association of Classification Societies (IACS) introduced a pair of requirements that helped to standardize maritime cybersecurity. The requirements, known as UR E26 and E27, mandate that cybersecurity is embedded into ship design and ensures a more holistic approach to shipbuilding. These requirements also align with existing frameworks such as IEC 62443 and NIST.

UR E26 focuses on the cyber resilience of ships themselves, while E27 is aimed at the resilience of on-board systems and equipment. Both requirements aim to increase cyber resilience and mitigate the effects of cyber incidents arising from disruptions to operational technology (OT) in ship operations.

These requirements play a key role in vessels’ resilience to withstand disruption. Moreover, they help mitigate the impact of cyberattacks on public safety. To minimize threats to both areas, it’s critical for shipyards to produce vessels that align to these standards, and future-proof fleets to be ready for a digital future that’s rife with new threats, including managed provisioning of privileged access to key systems.

Historically, operating a vessel required physical presence in the captain’s chair. Today, the proliferation of new technologies allows individuals from virtually any workstation to access and control much of the world’s critical infrastructure.

mundophone