Saturday, June 08, 2024

 

Mass AIS Spoofing Event "Moves" Dozens of Ships to Crimean Airport

The mass spoofing event at the airport in Simferopol, 0300 UTC, June 4, 2024
The mass AIS spoofing event at the airport in Simferopol, 0300 UTC, June 4, 2024 (MarineTraffic)

PUBLISHED JUN 5, 2024 6:25 PM BY GIANGIUSEPPE PILI, ALESSIO ARMENZONI AND GARY KESSLER

 

 

In early June 2024, dozens of merchant ships began transmitting AIS positions that put them at airports in the occupied Crimean peninsula and the Russian Federation. As of June 4, 2024, nearly 50 vessels broadcast their location as the International Airport of Simferopol, Crimea, and approximately 30 vessels at Gelendzhik Airport near Novorossiysk. Though AIS spoofing is known to occur in the Black Sea region, an event of this magnitude is uncommon

Spoofing at Simferopol International Airport. Sources: Marine Traffic, annotated by the authors

The number of these ships varies over time. In the previous few days, fewer ships were spoofed at these locations, while their number increased from June 3. The massive spoofing event appears to target all kinds of vessels, from bulk carriers to tankers and tugboats, which keep appearing and disappearing at improbable speeds in excess of 40 knots (and sometimes greater than 100 knots). For example, AIS data on June 4 showed the crude oil tanker Coatlique (IMO: 9235000) sailing at 102.2 knots while at anchor.

Many of the vessels appearing in Crimea are Russian-flagged and their real position is unknown for now, although is reasonable to assume their presence nearby in the area around the Kerch Strait, a position where Coatlique is known for loitering with frequent AIS blackouts and for engaging in STS transfers. Some of these vessels had experienced spoofing events in the past as well. By the morning of June 5, the spoofing event was over and the vessels no longer appeared at the airport.

At Gelendzhik Airport the situation is the same, with some vessels sailing at 50 knots on the airport’s runway. For example, crude oil tanker Athina M (IMO: 9644237) broadcast its position in the airport with a velocity of 0.0 kn, while her real position remains unknown (though certainly in the Black Sea).

Spoofing at Gelendzhik Airport (Russian Federation). Sources: Marine Traffic, annotated by the authors.

It’s very likely that this event is correlated to the electronic warfare and jamming activities of the Russo-Ukrainian war taking place a few miles from these two locations. However, AIS disturbance involving such a large number of vessels, and in two locations at the same time, is something that hasn’t happened in a while. This is reminiscent of a mass spoofing event that involved Atria (IMO 9595137, now Stromboli M) and nearly two dozen other vessels in June 2017.

Alessio Armenzoni is an Associate Fellow at the London-based Open Source Centre. He studied at the Centre for Higher Defense Studies from the Italian MoD.

Giangiuseppe Pili, Ph. D. is an Assistant Professor in the Intelligence Analysis Program at James Madison University. He is an Associate Fellow at Open Source Intelligence and Analysis at the Royal United Services Institute.

Gary C. Kessler, Ph.D, CISSP is president of Gary Kessler Associates, providing maritime cybersecurity training and consulting services, and co-author of "Maritime Cybersecurity," 2/e. He is on the advisory board of Cydome and a principal consultant at Fathom5.

The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.

No comments: