EARLIER this month, an unusual surge saw hundreds, potentially thousands, of vessels appear to “jump” from disparate global locations to the Baltic Sea. The incident, now under investigation, exposed the vulnerabilities in the systems that underpin modern maritime tracking and navigation.
At around 1100 hrs on November 2 an anomaly was recorded in the Automatic Identification System network lasting approximately 10 minutes.
The incident resulted in implausible recording of AIS positions, with a host of vessels incorrectly displayed as being in the shipping channel between the island of Bornholm and the Gulf of Finland.
“Such discrepancies can cause confusion within the maritime industry, particularly for systems and services that rely on accurate AIS data for navigation and monitoring,” said Paul Copperwheat, senior ship tracking analyst at Lloyd’s List Intelligence.
The issue was traced to an AIS receiving station transmitting erroneous data.
Once identified, the data provider suspended the station to prevent further distribution of incorrect information, according to a Lloyd’s List Intelligence investigation.
Third-party GNSS interference is rampant in the region, particularly in the areas around Russian ports, but this illegitimate data was not the outcome of such disruption.
The Finnish Border Guard, who first noticed the anomaly, told Lloyd’s List that they use many different tools and sources of information to monitor traffic in the Baltic Sea, in cooperation with Traficom.
Traficom, the Finnish Transport and Communications Agency, is a government authority managing Finland’s AIS base-station network and maritime safety systems.
As it allocates radio frequencies and supervises compliance with radio regulations, it is responsible for regulating, licensing, and maintaining Finland’s AIS network.
Traficom maritime director Sanna Sonninen told Lloyd’s List that it knew how it happened but “why it happened is unclear”.
“A private station located in Parainen, Finland, owned by a private owner who has an antenna that is receiving information from the sea, transmits these AIS signals received from the sea to commercial vessel-tracking services. In this case it is possible that somebody, somehow, hacked the station. And this station transmitted hundreds of falsified AIS data to a ship tracking data provider. So it can be a computer hacking issue but we don’t know the details yet,” Sonninen said.
“It is a failure in the commercial system.”
NORMA Cyber head of intelligence Arne Asplem said the AIS station in Parainen operated by a radio amateur was a possible source of the fake AIS tracks.
An amateur radio operator is a non-commercial transmitter operated by an individual. Commercial transmitters are run by a professional maritime organisation or vessel. These amateur receivers are legal, but require a radio license issued by Traficom to upload data to global platforms and are not permitted to transmit unlicensed AIS messages.
Experts are also still in the process of investigating the incident and are unable to provide any definitive answers as to why the data was tampered with and by whom.
Sonninen said that Traficom was fully aware of the location of the station, and the operator of the station who “inadvertently fed the system with aggregated data” was under investigation by Finnish authorities.
Some analysts said it looked like an attack on AIS data itself, with someone flooding the frequency with a barrage of fake AIS signals directly.
Royal Institute of Navigation chief executive Ramsey Faragher said that if evidence could be uncovered that both a satellite recorded the fake data as well as an amateur AIS station, then “it is highly possible that a bad actor transmitted fake AIS data somewhere in the region to the amateur’s location”.
Analysis indicates that a large number of vessels showed up on several vessel tracking services between 1108 hrs and 1114 hrs on November 2, also at 1748 hrs the same day.
It does not appear that a specific location or type of ship was targeted.
Bulk carrier Meghna Princess was berthed at Rugao port, China, when it was pulled temporarily into the Baltic.
The disruption also impacted vessels who were not transmitting AIS data at the time of the incident.
Sanctioned aframax Volans (IMO: 9422988), for example, hadn’t broadcast an AIS signal since late April, before it briefly appeared in the Baltic Sea just after 1100 hrs on November 2.
According to Lloyd’s List Intelligence data, 609 cargo-carrying vessels transmitted AIS data, indicating they were actively sailing within the Baltic Sea on November 2. This figure was 485 on November 1 and 423 on November 3.
Copperwheat said there is an inherent risk of data corruption or interference when one source transmits faulty information because AIS data is aggregated from multiple independent sources.
“The distributed nature of AIS networks means that errors from a single station can propagate across several data platforms until detected and corrected,” he added.
According to Asplem, this is not the first incident of fake AIS tracks appearing in the Baltic Sea region, with four such incidents from 2021 being investigated in 2022.
