Kessler-Spoofing-June-2024-2.jpg

In early June 2024, dozens of merchant ships began transmitting AIS positions that correspond to airports in the occupied Crimean peninsula and Gelendzhik Airport in the Russian Federation. As of June 4, 2024, nearly 50 vessels broadcast their location as the International Airport of Simferopol, Crimea, and approximately 30 vessels at Gelendzhik Airport. Though AIS spoofing is known to occur in the Black Sea region, an event of this magnitude is uncommon. 

The number of these ships varies over time. In the previous few days, fewer ships were spoofed at these locations, while their number increased from June 3. The massive spoofing event appears to target all kinds of vessels, from bulk carriers to tankers and tugboats, which keep appearing and disappearing at improbable speeds in excess of 40 knots (and sometimes greater than 100 knots). For example, AIS data on June 4 showed the crude oil tanker Coatlique (IMO: 9235000) sailing at 102.2 knots while at anchor.

Many of the vessels appearing in Crimea are Russian-flagged and their real position is unknown for now, although is reasonable to assume their presence nearby in the area around the Kerch Strait, a position where Coatlique is known for loitering with frequent AIS blackouts and for engaging in STS transfers. Some of these vessels had experienced spoofing events in the past as well. By the morning of June 5, the spoofing event was over and the vessels no longer appeared at the airport.

At Gelendzhik Airport the situation is the same, with some vessels sailing at 50 knots on the airport’s runway. For example, crude oil tanker Athina M (IMO: 9644237) broadcast its position in the airport with a velocity of 0.0 kn, while her real position remains unknown (though certainly in the Black Sea).

It’s very likely that this event is correlated to the electronic warfare and jamming activities of the Russo-Ukrainian war taking place a few miles from these two locations. However, AIS disturbance involving such a large number of vessels, and in two locations at the same time, is something that hasn’t happened in a while. This is reminiscent of a mass spoofing event that involved Atria (IMO 9595137, now Stromboli M) and nearly two dozen other vessels in June 2017.

Source: maritime-executive.com

AUTHORS:
Alessio Armenzoni who is an Associate Fellow at the London-based Open Source Centre. He studied at the Centre for Higher Defense Studies from the Italian MoD.
Giangiuseppe Pili, Ph. D. who is an Assistant Professor in the Intelligence Analysis Program at James Madison University. He is an Associate Fellow at Open Source Intelligence and Analysis at the Royal United Services Institute.
Gary C. Kessler, Ph.D, CISSP who is a maritime cybersecurity researcher and consultant living in Florida. He is on the advisory board of Cydome and a principal consultant at Fathom5.

The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries