Full Report
Carrying 99% of the world’s international telecommunications, the vulnerable lines are drawing nefarious interestThe lead-clad telegraphic cable seemed to weigh tons, according to Lt Cameron Winslow of the US navy, and the weather wasn’t helping their attempts to lift it up from the seabed and sever it. “The rough water knocked the heavy boats together, breaking and almost crushing in their planking,” he wrote.Eventually, Winslow’s men managed to cut the cable with hacksaws and disrupt the enemy’s communications by slicing off a 46-metre (150ft) section. Continue reading...
Analysis Summary
# Incident Report: Baltic Sea Undersea Cable Sabotage (November 2024)
## Executive Summary
In November 2024, two undersea fiber-optic cables in the Baltic Sea were deliberately damaged, prompting investigations into potential sabotage amid heightened geopolitical tensions. A Chinese cargo carrier, *Yi Peng 3*, operating in the vicinity during the timeframe of the severing, is currently a vessel of interest. While the immediate impact involved localized telecommunication disruption, the incident underscores the critical vulnerability of global subsea infrastructure to state-sponsored interference.
## Incident Details
- Discovery Date: November 17 and 18, 2024 (Dates of damage and subsequent investigation).
- Incident Date: November 17 and 18, 2024
- Affected Organization: Unspecified telecommunication providers utilizing the Baltic Sea cables.
- Sector: Telecommunications/Critical Infrastructure
- Geography: Baltic Sea
## Timeline of Events
### Initial Access
- **Date/Time:** November 17 and 18, 2024
- **Vector:** Physical disruption/sabotage via a maritime vessel.
- **Details:** Two undersea fiber-optic cables were severed. The Chinese cargo carrier *Yi Peng 3* was in the area when the cuts occurred and is now being investigated by Swedish police.
### Lateral Movement
*Not applicable/Not detailed in the context of physical infrastructure sabotage.*
### Data Exfiltration/Impact
- **Details:** The primary impact was the physical disruption of international telecommunications traffic carried by the cables. While specific data exfiltration is not detailed, damage represents a threat to the trillions converted in daily financial transactions and sensitive government communications carried by these lines.
### Detection & Response
- **How it was discovered:** Damage to the cables was detected on November 17 and 18.
- **Response actions taken:** Swedish police initiated an investigation naming the vessel *Yi Peng 3* as "of interest." A Danish navy vessel is shadowing the *Yi Peng 3*. German defense officials suggested the damage was "probably sabotage."
## Attack Methodology
- **Initial Access:** Physical interference, likely using a vessel (grapple, anchor, or similar object) to sever the cable on the seabed.
- **Persistence:** N/A (Physical severance, not software persistence)
- **Privilege Escalation:** N/A
- **Defense Evasion:** The incident provided "plausible deniability" characteristic of one-off attacks in international waters.
- **Credential Access:** N/A
- **Discovery:** N/A (Intentional physical action, not network reconnaissance)
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Physical severing of critical communications infrastructure.
## Impact Assessment
- **Financial:** Repair and replacement of submarine cables are expensive (estimated at $40,000 per mile, with new transatlantic cables costing $200m–$250m). Significant disruption to daily financial transactions reliant on the network.
- **Data Breach:** Not explicitly stated, but the integrity of sensitive government and business communications was compromised.
- **Operational:** Disruption to internet service and telecommunications in the region.
- **Reputational:** Negative diplomatic signaling related to geopolitical tensions (Russia-Ukraine, China-Taiwan, Israel-Gaza).
## Indicators of Compromise
- **Network indicators:** N/A (Focus on physical incident)
- **File indicators:** N/A
- **Behavioral indicators:** Presence of maritime vessels of interest (*Yi Peng 3*) near communication cable routes during periods of documented cable failure.
## Response Actions
- **Containment measures:** Shadowing of the vessel of interest (*Yi Peng 3*) by the Danish navy.
- **Eradication steps:** N/A (Physical repair effort would be required).
- **Recovery actions:** Localized repair operations necessary to restore full service capacity.
## Lessons Learned
- Subsea cables, despite sometimes being physically robust (steel-wrapped), can be severed relatively easily by conventional maritime means (anchors, grapples) if the intent is present.
- Such isolated incidents allow malicious state actors plausible deniability while delivering potent diplomatic and economic signals.
- The ongoing geopolitical instability increases the risk of targeting these vital arteries of global communication.
- Historical context shows that nations (including the West, Russia, and China) have demonstrated intent and capability regarding monitoring or interfering with subsea cables.
## Recommendations
- Increase maritime surveillance and monitoring, especially by naval assets, around critical subsea cable routes, particularly during periods of elevated geopolitical tension.
- Enhance international cooperation for rapid identification and scrutiny of vessels operating near cable routes during incidents.
- Invest in hardening cable protection mechanisms where feasible, although the sheer volume of the network limits comprehensive physical protection.
- Conduct vulnerability assessments mapping critical choke points where a small number of cables carry significant traffic volumes.