A report published earlier this month confirmed what I have been telling clients for the last two years: state-sponsored threat actors are not abstractly interested in maritime. They are actively inside maritime supply chains right now.
The Hacker News reported that APT28, the Russian military intelligence cyber unit also known as Forest Blizzard and Pawn Storm, has been running a spear-phishing campaign since at least September 2025 deploying a previously undocumented malware suite called PRISMEX. The targets include maritime and transportation sectors in Romania, Slovenia, and Turkey, along with NATO logistics partners handling ammunition supply chains across Slovakia and the Czech Republic.
This is not a theoretical threat briefing. This is an active campaign with confirmed victims in the maritime sector.
What makes PRISMEX different
Most maritime malware I have dealt with over the last decade has been opportunistic. Ransomware operators casting wide nets, hoping to catch a shipping company that has not patched a known vulnerability. APT28 is not that. This is targeted espionage with a sabotage capability built in.
PRISMEX uses steganography to hide payloads inside image files, COM hijacking for persistence, and legitimate cloud services for command and control. That last detail is the one I want vessel operators to focus on. When the malware's C2 traffic looks like normal HTTPS to a mainstream cloud provider, your satellite link's traffic inspection is not going to flag it. In at least one documented incident from October 2025, the payload included a destructive wiper that could erase files on command. Not just espionage. Sabotage.
The campaign also exploited two zero-day vulnerabilities (CVE-2026-21509 and CVE-2026-21513) with infrastructure prepared two weeks before the flaws were publicly disclosed. If your patch cycle starts when a CVE goes public, APT28 had a two-week head start.
Why this matters for vessel operators
You might read "NATO logistics partners" and conclude this does not apply to a 60-meter yacht in the western Mediterranean. I would push back on that assumption.
First, the targeting pattern. APT28 selected maritime and transport operators in countries that border the Black Sea and eastern Mediterranean, the same waters where a substantial number of luxury charter operators run seasonal itineraries. Every vessel that connects to shore-side fleet management, provisioning, or crew scheduling systems is a node in that logistics chain.
Second, the dual-use capability. A malware suite that can both exfiltrate data and destroy files on command is a different threat model than ransomware. Ransomware wants you to pay. A wiper wants you to stop functioning. If a vessel's fleet management system gets wiped during a period of degraded satellite connectivity, there is no calling shore IT for help. The gap between "the wiper executes" and "someone with the right access can respond" might be measured in days, not hours.
Third, the attack surface keeps expanding. I wrote recently about the NAVTOR NavBox vulnerability and the broader trend Dryad Global documented: cyber threats have moved beyond shore-side IT into operational vessel systems. Every satellite-connected OT device on a vessel is a potential entry point. APT28 does not need to target your yacht directly. It needs to compromise one vendor in your supply chain.
What on-vessel security monitoring changes
I am not going to pretend that putting GPUs on a yacht solves a nation-state threat actor. What I will say is that the security architecture of an on-vessel AI deployment changes the defensive calculus in two specific ways.
An on-vessel system running anomaly detection locally can spot unusual COM object behavior, unexpected outbound connections to cloud services, and file-system changes consistent with wiper preparation, all without needing a shore-side SOC to be reachable. It does not depend on the same satellite link that an attacker may be using for C2. When the knowledge ark is running its own security monitoring, that monitoring continues even when the link is compromised. That is the difference between sovereign AI and a cloud dashboard that goes dark at the worst possible moment.
Data that never leaves the vessel cannot be exfiltrated through the satellite link. PRISMEX's espionage function relies on moving data from the target environment to attacker-controlled infrastructure. An AI system that processes guest data and operational intelligence entirely on board, with no persistent cloud connection, presents a fundamentally smaller exfiltration surface.
None of this replaces the basics. You still need network segmentation, vendor SBOMs, patch management, and an incident response plan that assumes the satellite link is down when the attack hits. But architecture matters. A vessel that keeps its AI, its data, and its security monitoring local is a harder target than one that depends on shore-side infrastructure for all three.
APT28 is not going to lose interest in maritime. The question is whether your vessel's security posture assumes they are already trying.
Evaluating your vessel's threat model against state-sponsored campaigns? Let's talk. We design sovereign AI deployments where the security monitoring keeps running even when the link goes dark.