Full Report
New analysis shows that attacks on satellite navigation systems have impacted some 1,100 ships in the Middle East since the US and Israel attacked Iran on February 28.
Analysis Summary
# Incident Report: Escalated GPS/AIS Disruption in Middle East Following US-Iran Conflict
## Executive Summary
Following retaliatory military strikes by the US and Israel against Iran starting on February 28, maritime electronic warfare escalated significantly in the Middle East. Analysis from Windward identified widespread GPS jamming and spoofing, impacting approximately 1,100 ships navigating the Strait of Hormuz and surrounding waters. The primary impact was severe navigational disruption, with vessels appearing inland or near sensitive facilities. Response involved international maritime advisories highlighting "critical" risks, although the source of the electronic interference was not explicitly attributed in the summary.
## Incident Details
- Discovery Date: Analysis released shortly after February 28 (Report cited March 2, 2026)
- Incident Date: Commenced on or around February 28 (following US/Israeli strikes against Iran)
- Affected Organization: Not applicable (State-level/Geopolitical catalyst; commercial maritime industry affected)
- Sector: Maritime/Shipping, critical infrastructure navigation
- Geography: Middle East, specifically the Gulf region, Strait of Hormuz, and waters near Iran, UAE, Qatar, and Oman.
## Timeline of Events
### Initial Access
- Date/Time: Starting February 28
- Vector: Transmission of high-power electronic signals targeting satellite navigation (GPS/GNSS).
- Details: Significant electronic interference noted immediately following international military actions.
### Lateral Movement
- Not applicable to typical cyber lateral movement; this describes the spread of the *effect* of the jamming/spoofing across the operational area.
- Details: Electronic interference spread across Iranian, UAE, Qatari, and Omani waters, identified across roughly 21 "new clusters."
### Data Exfiltration/Impact
- Harmful positional data injection (spoofing) and denial of service (jamming).
- Details: Affected navigation data integrity, causing ships to appear falsely positioned (e.g., inland, at airports, or near a nuclear power plant). Some vessels reportedly entered "circle-like patterns."
### Detection & Response
- Detection: Analysis by maritime intelligence firm Windward.
- Response: Joint Maritime Information Center (JMIC) issued a notice on March 1 stating the situation was "critical." Commercial air travel significantly decreased due to related interference concerns.
## Attack Methodology
- Initial Access: GPS **Jamming** (predominant method identified by Windward) and **Spoofing**.
- Persistence: Continuous broadcast of interfering signals.
- Privilege Escalation: Not applicable (Physical/RF attack).
- Defense Evasion: Attacks utilized methods to overwhelm or falsify standard navigational signals, rendering legitimate safety systems unreliable.
- Credential Access: Not applicable.
- Discovery: Analysis of ship tracking data (AIS) showing anomalies in reported positions (behavioral and locational indicators).
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Not applicable.
- Impact: Disruption of navigation, safety risk (collisions, grounding, oil spills), and compliance risk (vessels displaying incorrect locations). For aviation, reports noted at least six new spoofing signatures impacting hundreds of flights initially, though this decreased post-cancellation.
## Impact Assessment
- Financial: Unspecified, but implied significant due to shipping disruption (Strait of Hormuz shipping almost halted) and potential for accidents/spills.
- Data Breach: No evidence of traditional data exfiltration; the compromise was operational integrity of positional data.
- Operational: Severe disruption to maritime traffic, with 1,100+ ships affected, forcing vessels off course or into avoidance patterns. Air travel was also impacted initially.
- Reputational: Increased international concern regarding the safety of critical shipping lanes.
## Indicators of Compromise
- Network indicators: None specified (RF signatures, not IP/DNS).
- File indicators: None.
- Behavioral indicators: Ships appearing falsely positioned inland or clustered in circular patterns off UAE, Qatari, and Omani waters; diversion of AIS signals toward sensitive locations like the Barakah Nuclear Power Plant.
## Response Actions
- Containment measures: Increased international maritime warnings (JMIC advisory).
- Eradication steps: Not specified for the source of the interference. Vessels likely reverted to backup/inertial navigation systems where possible.
- Recovery actions: Ships resuming transit after the intensity may have fluctuated or after adopting alternative navigation methods. (Not explicitly detailed).
## Lessons Learned
- Key takeaways: Geopolitical conflict rapidly translates into significant physical consequences in critical maritime chokepoints via electronic warfare (jamming/spoofing). Reliance on unencrypted GNSS/AIS systems creates a massive single point of failure during times of heightened tension.
- What could have been done better: Increased resilience or implementation of layered, robust navigation backups on commercial vessels prior to the conflict escalation.
## Recommendations
- Prevention measures for similar incidents: Mandate and enforce the use of resilient, multi-source Position, Navigation, and Timing (PNT) systems for commercial and critical maritime assets that can detect and filter out GPS/GNSS interference.
- Improve situational awareness regarding RF spectrum usage in regions prone to geopolitical risk.