Passenger Ferry Delayed for Hours Due to Suspected Russian Cyber Attack

European investigators are currently examining whether Russian military hackers have infiltrated the computer systems of a vessel owned by MSC-Mediterranean Shipping Company SA, the largest container shipping group in the world. This inquiry comes from sources familiar with the situation.

The ferry, which is operated by MSC’s Grandi Navi Veloci unit, was immobilized on Saturday in the southern French port of Sète as it was preparing to set sail for Algeria. Authorities detained the vessel to ensure that its operational systems had not been compromised. It ultimately departed the following morning.

A spokesperson for Grandi Navi Veloci confirmed to Bloomberg that the company had detected and neutralized an intrusion attempt on one of its ferries. The investigation, which involves both French and Italian officials, is still ongoing.

Authorities are exploring whether this attempted breach is connected to Russia’s military intelligence agency, the GRU. Although no public attribution has been made, this assessment is based on forensic analysis and similarities in tools, techniques, and procedures that align with activities reported by U.S. agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency. Sources spoke on the condition of anonymity due to the sensitive nature of the inquiry.

This incident has raised alarms among security officials regarding the cybersecurity threats facing maritime transport. There are growing concerns about adversaries attempting to access ships’ onboard networks for tampering or conducting long-term surveillance. MSC, which controls the world’s largest container fleet, plays a vital role in global trade, linking Europe, Asia, and the U.S.

Such breaches pose significant global security risks, as maritime transport is responsible for carrying the majority of world trade. Cyberattacks can disrupt supply chains, threaten critical infrastructure, and expose sensitive military and commercial movements across the globe.

The attackers in this case aimed to access the ship’s office computer network, which would have allowed them to impersonate a legitimate user. Fortunately, they did not reach operational systems such as navigation, propulsion, or the Automatic Identification System (AIS). Investigators noted that the segregation between office and operational networks, along with the lack of remote access to critical controls, prevented lateral movement and ruled out scenarios of sabotage or hijacking.

While Grandi Navi Veloci’s spokesperson declined to comment on the extent of the hackers’ access, it is worth noting that this particular ship had been targeted previously. In November, investigators discovered a Raspberry Pi device— a small concealed computer—connected to a shipboard computer in a restricted area. This device was removed after triggering security alerts and is currently undergoing forensic analysis.

In the latest incident, a second Raspberry Pi device was found last week, connected to a different onboard computer. Similar to the first, it was paired with a cellular modem, allowing remote access to the ferry’s internal computer network. This device remains under judicial seizure and has not yet been fully analyzed.

A spokesperson for the Kremlin did not immediately respond to requests for comment.

Investigators have identified similarities in how the attackers established and maintained contact with external command-and-control servers, as well as the structure of those connections and the behavior of files introduced into the target environment. These patterns are consistent with operations previously attributed to Russia’s GRU, including Unit 29155.

Officials also suspect that a third Raspberry Pi device may still be active aboard another vessel, according to sources familiar with the investigation.

French media outlet Le Parisien has reported that French intelligence services are investigating the discovery of spyware aboard the ferry and are considering a possible Russian connection.

Copyright 2025 Bloomberg.

Topics
Cyber
Russia

European investigators are currently examining whether Russian military hackers have infiltrated the computer systems of a vessel owned by MSC-Mediterranean Shipping Company SA, the largest container shipping group in the world. This inquiry comes from sources familiar with the situation.

The ferry, which is operated by MSC’s Grandi Navi Veloci unit, was immobilized on Saturday in the southern French port of Sète as it was preparing to set sail for Algeria. Authorities detained the vessel to ensure that its operational systems had not been compromised. It ultimately departed the following morning.

A spokesperson for Grandi Navi Veloci confirmed to Bloomberg that the company had detected and neutralized an intrusion attempt on one of its ferries. The investigation, which involves both French and Italian officials, is still ongoing.

Authorities are exploring whether this attempted breach is connected to Russia’s military intelligence agency, the GRU. Although no public attribution has been made, this assessment is based on forensic analysis and similarities in tools, techniques, and procedures that align with activities reported by U.S. agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency. Sources spoke on the condition of anonymity due to the sensitive nature of the inquiry.

This incident has raised alarms among security officials regarding the cybersecurity threats facing maritime transport. There are growing concerns about adversaries attempting to access ships’ onboard networks for tampering or conducting long-term surveillance. MSC, which controls the world’s largest container fleet, plays a vital role in global trade, linking Europe, Asia, and the U.S.

Such breaches pose significant global security risks, as maritime transport is responsible for carrying the majority of world trade. Cyberattacks can disrupt supply chains, threaten critical infrastructure, and expose sensitive military and commercial movements across the globe.

The attackers in this case aimed to access the ship’s office computer network, which would have allowed them to impersonate a legitimate user. Fortunately, they did not reach operational systems such as navigation, propulsion, or the Automatic Identification System (AIS). Investigators noted that the segregation between office and operational networks, along with the lack of remote access to critical controls, prevented lateral movement and ruled out scenarios of sabotage or hijacking.

While Grandi Navi Veloci’s spokesperson declined to comment on the extent of the hackers’ access, it is worth noting that this particular ship had been targeted previously. In November, investigators discovered a Raspberry Pi device— a small concealed computer—connected to a shipboard computer in a restricted area. This device was removed after triggering security alerts and is currently undergoing forensic analysis.

In the latest incident, a second Raspberry Pi device was found last week, connected to a different onboard computer. Similar to the first, it was paired with a cellular modem, allowing remote access to the ferry’s internal computer network. This device remains under judicial seizure and has not yet been fully analyzed.

A spokesperson for the Kremlin did not immediately respond to requests for comment.

Investigators have identified similarities in how the attackers established and maintained contact with external command-and-control servers, as well as the structure of those connections and the behavior of files introduced into the target environment. These patterns are consistent with operations previously attributed to Russia’s GRU, including Unit 29155.

Officials also suspect that a third Raspberry Pi device may still be active aboard another vessel, according to sources familiar with the investigation.

French media outlet Le Parisien has reported that French intelligence services are investigating the discovery of spyware aboard the ferry and are considering a possible Russian connection.

Copyright 2025 Bloomberg.

Topics
Cyber
Russia