U.S. Coast Guard cyber teams have discovered that ships in the so-called dark fleet — tankers that ferry sanctioned oil from Iran and Russia around the world — are using remote desktop applications, pirated software with malware, and digital deception systems to evade authorities, according to a new Coast Guard report shared exclusively with the Wall Street Journal.
Rear Adm. Jason Tama, head of the Coast Guard’s Cyber Command, said the boardings revealed cyber risks that officials had not anticipated. “We’ve known for years that the dark fleet posed significant physical risks, because we knew they were operating old ships, they weren’t maintaining them,” Tama said. “But what we didn’t know until these boardings was what type of cyber risks were aboard these ships.”
The report details how dark-fleet owners use remote desktop applications such as AnyDesk and TeamViewer as “persistent installations” that allow unattended remote access, meaning connections could be established without a person present at the workstation. In at least one boarding, administrators attempted to remotely delete data after the U.S. took control of the vessel, the report said.
“These vessels are attempting to hide in plain sight,” said Rear Adm. David Barata, deputy commandant for operations policy and capabilities for the Coast Guard. He described dark-fleet tactics including the use of multiple Automatic Identification System devices and toggle switches to electronically flip between vessel names — the digital equivalent of painting over the ship’s real name on the hull. “Not unlike when somebody searches the obituaries and takes up a name,” Barata said, dark-fleet owners seek out names of vessels that have been deconstructed and taken to breaker yards to create plausible identities.
Custom-made Ethernet cables soldered to AIS system ports enable crews to broadcast fake location data. How-to guides were found aboard the ships detailing additional methods for faking GPS information, according to the report. Barata cited one vessel that was showing its position as Curaçao when it was actually lightering oil off Venezuela.
The cyber teams also discovered that some ships run pirated software for business-management and navigation purposes that is loaded with malware. Officials say the infected computers are inherently risky because they are connected to critical operational and navigational systems aboard vessels carrying tens of millions of gallons of volatile crude oil. “There’s always a risk of fire explosion,” Tama said, emphasizing the need to manage the atmosphere in the oil tanks carefully.
The Coast Guard’s findings support the conclusion that the tankers are intentionally designed for illicit activity, not accidentally caught up in sanctioned trades, according to Michelle Wiese Bockmann, senior maritime intelligence analyst at Windward AI. “If that’s what they’re putting out publicly, I can only imagine what they have found and not disclosed,” Bockmann said.
Since the U.S. launched a global crackdown on the dark fleet in December, countries including France, the United Kingdom and Germany have blocked and seized tankers ferrying Russian oil. Over the weekend, U.K. Royal Marines boarded a tanker sailing in the English Channel.
Analysts say dozens of dark-fleet vessels stuck in and around the Persian Gulf could resume illicit trade if the U.S. and Iran sign a deal to reopen the Strait of Hormuz, potentially adding to the number of tankers being pursued. “The ocean is big, but the ports where they deliver oil are known,” Barata said, adding that a concerted international effort could improve vessel conditions and reduce the risk of an environmental disaster.