Maritime OSINT in Detail

Due to very popular demand, this article written by Dipti Yadav has been dug up from the Internet Archive and put back in place. Dipti wrote articles during the early days of Hacktoria.

May 25, 2022 by Dipti Yadav

I don’t quite actually know why I love maritime osint, but maybe it is the vulnerability of their systems which grabs my attention so much.

You might have already heard of some tools related to maritime if you are into osint for quite some time. So let’s start with the basics!

Vessels and their tracking

A ship can be identified through its IMO and MMSI numbers. The IMO Ship Identification Number is a unique seven-digit number which remains unchanged through a vessel’s lifetime and is linked to its hull, regardless of any changes of names, flags, or owners. Unlike IMO, the Maritime Mobile Service Identity (MMSI) is a unique 9 digit number, a temporarily assigned UID, that is assigned to an individual vessel for contacting issued by that object’s current flag state. It is entered into DSC radios and AIS units used on that vessel. Some ships for conducting suspicious activities oftentimes spoof their MMSI mid voyage.

Vessels, hmm.. could be cargo, tankers, cruise, yachts, ferry, fishing boats and military ships. The sources to gather data majorly depend on the type of vessel that you are investigating, based on which you will get a whole load of intelligence if collected efficiently and in a systematic manner. Below are some websites, all categorized on the basis of vessel types (note that some sites are meant for the surveillance of all vessel types):

  1. MarineTraffic (all vessel types)
  2. VesselFinder (all vessel types)
  3. MyShipTracking (all vessel types)
  4. TankerTrackers (tracks and reports crude oil in the sea)
  5. MarineVesselTraffic, FollowingSea.net (Yacht tracking)
  6. Cruisin.me, CruiseMapper, CruiseHive (Cruise Ship tracking)
  7. GlobalFishingWatch (Fishing Vessel tracking)
marinetraffic.com

Beside these all, there are many other websites designed for different purposes like SubtelForum.com (for tracking cable ships and submarines), eships.net (for vessel database), IMB Piracy and Armed Robbery Map, GlobalFishingWatch (for tracking illegal fishing) and MarineVesselTraffic (for tracking global military incidents).

Solely tracking vessels via these platforms is not enough. Every piece of data leads to somewhere. As an example, we can skim through social media where possibly more clues related to the vessel, its company or crew members might be available. Apart from this, we have shipspotting.com where maritime enthusiasts post pictures of every vessel they spot, or platforms like MaritimeConnecter, MyShip and LinkedIn where you would get a detailed bio of the crew members linked to a certain vessel. Moreover, if a ship has been sanctioned for committing illegal deeds, you may look for it in the OFAC Sanctions List. Remember, Port Cams are also of great help!

Something else linked to a ship that we can track? Yes, containers… if it’s a cargo ship!

Cargos and their tracking

A shipping container with several markings (containertech.com)

Each marking on the doors of the cargo deals with something important.

  1. Container Number: A unique number made up of 4 letters and 7 numbers displayed on the top right part of the container. First 3 capital letters -Owner Code, another letter – Equipment Category Identifier, sequence of six digits- Registration Number (or Serial Number).
  2. Check Digit: The following solo number, the last digit of the container number to verify the veracity of the entire sequence.
  3. ISO Code: A sequence of 4 letters or digits providing information about the container dimensions and type.
  4. Operational Markings: Displays the operational characteristics of the container like maximum gross weight, payload etc.
  5. CSC Plate: For verifying good condition and acceptable safety.

Now that we have known the basic markings on a shipping container, we can easily track any cargo using Fleetmon.com, Track-trace, Panjiva or ImportGenius.

Maritime Communication

Marine VHF Radio

If you have taken a deep dive into maritime intelligence, you might be aware of International Code of Signals (ICS) — an international system of signals and codes for use by vessels to communicate important messages regarding navigation safety and related matters. Vessels in the sea use various methods to send signals, it could be through a flaghoist, signal lamp or blinker (in which morse code is used to send a message), flag semaphore, radiotelegraphy or radiotelephony.

Nowadays Marine VHF Radio is used extensively which is a worldwide system of two way radio transceivers, which could happen from ship-to-ship, ship-to-shore or even from ship-to-aircraft when needed. It uses FM channels in the Very High Frequency (VHF) radio band in the frequency range between 156 to 174 MHz which is designated by the ITU as the VHF maritime mobile band.

Common Technologies used in maritime

AIS (Automatic Identification System)

The AIS Network

It is mandatory for all ships of 300 gross tonnage and upwards engaged on international voyages and all passenger ships irrespective of size to use AIS transponders. AIS (Automatic Identification System) uses transceivers on ships and is one of the components used by VTS (others include radar, closed-circuit television and VHF radiotelephony) supplementing marine radar to avoid collisions between vessels. If AIS signatures are received through a satellite, the term Satellite-AIS (S-AIS) is used. AIS is quite analogous to ADS-B in aviation. It uses globally allocated marine band channels 87 & 88.

Although it’s a compulsion to keep AIS turned on during voyages since it also protects the vessels from unexpected accidents, there are a few instances when a master is permitted to deactivate a ship’s AIS provided that it keeps making entries into the logbook as well as reactivates it at the earliest oppurtunity. In case the ship is within a mandatory VTS reporting area, they should also report the action to the authorities, unless there is a safety or security reason for not doing so. Some legitimate reasons to switch off the AIS include security concerns or law enforcement purposes. Illegal reasons to switch off AIS could be for conducting IUU fishing activity in prohibited areas of the sea, for smuggling or even for trading with sanctioned countries. Though in the case of fishing vessels, sometimes they turn off their AIS just after leaving the port and reactivate it only after they have reached back solely because they wish to keep their fishing areas unknown to other competitive fishing companies.

VTS (Vessel Traffic Service)

A VTS is a marine traffic monitoring system established by harbour or port authorities, similar to Air Traffic Control (ATC) for aircraft.

DSC (Digital Selective Calling)

Digital Selective Calling is a service that allows to communicate with a vessel or shore station by making an “individual” call. With DSC it is no longer required to listen to all radio messages to see if there is a call or message for you. DSC is also used to automatically send distress messages.

ECDIS (Electronic Chart Display and Information System)

An ECDIS is a geographic information system used for nautical navigation that complies with International Maritime Organisation (IMO) regulations as an alternative to paper nautical charts. It displays the information from Electronic Navigational Charts (ENC) and integrates position information from position, heading and speed through water reference systems and optionally other navigational sensors. Other sensors which could interface with an ECDIS are radar, Navtex, AIS, and depth sounders.

NAVTEX (Navigational Telex)

NavTex is an international automated medium frequency direct-printing service for delivery of navigational and meteorological warnings and forecasts, as well as urgent maritime safety information (MSI) to ships.

VMS (Vessel Monitoring System)

VMS is a general term to describe systems that are used in commercial fishing to allow environmental and fisheries regulatory organizations to track and monitor the activities of fishing vessels. They are a key part of monitoring control and surveillance (MCS) programs at national and international levels. VMS may be used to monitor vessels in the territorial waters of a country or a subdivision of a country, or in the Exclusive Economic Zones (EEZ) that extend 200 nautical miles from the coasts of many countries.

GMDSS (Global Maritime Distress and Safety System)

GMDSS is an international system that uses terrestrial and satellite technology and ship-board radio systems to ensure rapid, automated alerting of shore-based communication and rescue authorities, in addition to ships in the immediate vicinity, in the event of a marine distress.

NMEA (National Marine Electronics Association)

NMEA is a standardised communication protocol used in the marine sector (boats, ships etc). It has seen many updates in its standards, while many of them presently using NMEA 2000 and also some older versions like NMEA 1083.

Maritime VSAT

Maritime VSAT is the use of satellite communication through a Very-small-aperture terminal (VSAT) on a moving ship at sea. Since a ship at sea moves with the water, the antenna needs to be stabilized with reference to the horizon and True north, so that the antenna is constantly pointing at the satellite it uses to transmit and receive signals.

INMARSAT (International Maritime Satellite Organisation)

INMARSAT is a leading global satellite communications company, established in London in 1979 to serve the maritime industry by developing satellite communications for ship management as well as distress and safety applications in the maritime, aeronautical and multinational corporate sectors. It has various versions for various purposes which include Inmarsat-A, Inmarsat-B, Inmarsat-C, Inmarsat-M, Inmarsat-Mini M and Inmarsat-Aero.

CommBox

KVH’s CommBox is a network management tool using shipboard network management hardware, with network hub options for enhanced performance and network control as well as software modules to support on board communications.

Pivotal company names and terms that you should remember include Sailor 900, Inmarsat Solutions, Telenor Satellite, Commbox, Cobham SeaTel Satcom and Thrane.

Maritime industry especially lacks in security from the technological perspective which makes it especially vulnerable to cyber attacks like jamming and spoofing of AIS or GPS.

Using Shodan to detect vulnerabilities

Shodan Ship Tracker

In Shodan.io, you can search for possible vulnerable devices by entering the above mentioned terms that I told you to remember into the searchbar. You can also search by org:“Intelsat Global Connex Solutions (GXS)” or org:“Telenor UK Ltd”. Moreover, Shodan also also has a live shiptracker which tracks vessels via VSAT connected antennas and exposes web services. You can also search on that map as “server:MicroDigitalWebserver”.

When you find a Cobham SeaTel Satcom web interface, you can analyze it through Fiddler/Burpsuite and you will find some juicy javascripts there through which you can easily access the admin page, “/js/userlogin.js” contains some hints. Some of their menus will be available without authentication.

Just in case that doesn’t work, you can try to login with the default usernames and passwords which are present in the Cobham Satcom’s manual.

Case Study: Vessel Identity Laundering

Just another area left for maritime organisations to tackle efficiently! There have been frequent cases where vessels, either because they are sanctioned from the authorities or for other illicit purposes transform into an entirely new vessel by tampering with their Physical, Registered or Digital identities. Presently, vessel identity laundering has two typologies as researched by C4ADS:

  1. Direct Vessel Identity Laundering
  2. Indirect Vessel Identity Laundering

Direct Vessel Identity Laundering Operation

A direct vessel identity laundering operation typically follows a three-step process and only requires one real ship (the dirty vessel itself):

Step 1 Preparation and Disguise: Physical Identity Tampering

Step 2 Creating a Shell Identity: IMO Number Fraud

Step 3 Assuming a Shell Identity: Digital Identity Tampering

Indirect Vessel Identity Laundering Operation

Indirect vessel identity laundering operations are more complex than direct vessel identity laundering operations. While direct vessel identity laundering requires only one vessel, indirect vessel identity laundering operations require the participation of at least two real ships (including the dirty vessel and a clean “intermediary” vessel). However, the goal is still the same: to provide the dirty vessel with a clean identity.

Indirect vessel identity laundering operations typically follow a four-step process:

Step 1 Preparation and Disguise: Physical Identity Tampering

Step 2 Creating a Shell Identity: IMO Number Fraud

Step 3 The Intermediary Ship Assumes the Shell Identity: Digital Identity Tampering

Step 4 The Dirty Ship Assumes the Vacated Identity of the Intermediary Ship: Digital Identity Tampering

If you wish to give the C4ADS report on vessel identity laundering a read, here’s the link: https://c4ads.org/s/Unmasked-Vessel-Identity-Laundering-North-Korea-f2nf.pdf

Conclusion

Indeed a lot of areas in the maritime industry need more regulations and newer methods so as to remain updated with the technology, and majorly securing themselves from prevalent cyberattacks is of utmost importance.