Ransomware and data theft is highly likely considered both profitable and thrilling by threat actors, and it is unlikely that the volume of attacks will decrease in 2025, according to the annual threat assessment 2025 of the Nordic Maritime Cyber Resilience Centre, NORMA Cyber, a hub for operational cyber security efforts within the Nordic maritime industry.
NORMA Cyber recorded 45 instances of threat actors openly claiming maritime victims in 2024.
There are likely dark numbers, as not all threat actors use the name-and-shame tactic and victims who pay the ransom demand tend not to be listed.
Meanwhile, 72 confirmed compromised accounts and devices have been reported by NORMA Cyber to maritime organisations.
Although 45 maritime victims are less than the 72 reported in 2023, the opportunistic nature of cybercrime makes it likely that the numbers will fluctuate in between years, as NORMA Cyber states.
Fraud campaigns tailored to the maritime sector will likely occur at a low but steady rate in 2025. These campaigns use industry-specific terminology and topics.
Criminals familiar with the sector likely perceive it as lucrative. Maritime-themed phishing emails observed by NORMA Cyber in 2024 were centred around vessel and cargo information and port operations, a theme that is likely to continue in 2025.
As reported by NORMA Cyber, in 2024 Russia alone was suspected of carrying out more than 40 sabotage operations in Europe, including both cyber and physical initiatives.
According to the NORMA Cyber annual threat assessment, while the current threat of destructive cyber operations against the maritime sector from Russia is low, the threat levels could change rapidly if the Russian regime feels threatened or seeks leverage against European nations.
“In such a scenario, cyber operations are likely to be launched as part of a hybrid attack, with entities affiliated with energy infrastructure, undersea infrastructure, and critical digital infrastructure likely being the preferred targets,” the assessment notes.
As it is highlighted, the threat from criminal campaigns affecting entities in the Nordics, either directly or indirectly, is high. “Financially motivated threat actors will likely remain opportunistic in their targeting.”
“In terms of business impact, ransomware attacks pose the most significant threat, although a successful fraud scheme may be equally expensive. Instead of deploying malware for initial access and actions on the objective, criminals are increasingly likely to use deception and legitimate tooling.”
On the other hand, the threat from influence operations directly targeting the Nordic maritime sector is low. However, NORMA Cyber says that maritime entities in the Nordics will highly likely be used as pawns in information operations as part of geopolitical tensions in 2025.
“Maritime organisations operating in, or with ties to, states or regions affected by geopolitical tensions face a moderate threat from threat actors exerting pressure through cyber disruption.”
There is a high threat of cyber espionage operations against the maritime sector due to its role in national security and the global economy. According to the annual threat assessment 2025, states are expected to continue to use cyber espionage to gain advantages or insights into ongoing conflicts in the coming year, affecting organisations within the maritime sector.
