Verticals Targeted: Maritime, Shipping
Regions Targeted: Middle East
Executive Summary
Recent maritime navigation anomalies in the Persian Gulf and Strait of Hormuz suggest the use of GNSS spoofing and other electronic warfare techniques disrupting vessel positioning systems and AIS tracking data. Ships have reported GPS positions drifting or appearing in multiple locations across maritime telemetry platforms. The activity coincides with radio warnings broadcast to ships transiting the Strait and may reflect Iran’s asymmetric strategy to influence maritime traffic while avoiding direct escalation. It may also indicate a temporary shift toward electronic warfare while Iranian cyber operators rebuild infrastructure following recent strikes.
Key Takeaways
- Maritime navigation systems across the Persian Gulf and Gulf of Oman have experienced anomalies consistent with large-scale GNSS spoofing, causing vessels to report incorrect positions on AIS tracking platforms.
- The disruptions coincide with radio warnings transmitted to ships transiting the Strait of Hormuz, creating a gray-zone control environment that may influence vessel behavior without constituting a formal blockade.
- GNSS spoofing can act as a data integrity attack on maritime telemetry, poisoning trusted navigation data used by governments, shipping companies, and intelligence analysts.
- Iran’s reliance on electronic warfare and hybrid disruption tactics may reflect temporary degradation of its cyber capabilities following recent strikes on cyber infrastructure and command structures.
- The activity may also serve as reconnaissance or diversion, potentially masking preparations for future cyber campaigns targeting regional energy, maritime, or industrial infrastructure.
Background
Amid the ongoing conflict between Iran and the US/Israel, some interesting developments have taken place. We noted in our previous threat bulletin Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks that the US and Israel’s attacks on Iranian infrastructure and command structure appear to have at least temporarily crippled Iran’s cyber retaliation capabilities. In that report, our analysts included information on Iranian APT groups as well as proxies that may engage in cyber activity on Iran’s behalf. We also provided IOCs of malware associated with related threat actor groups. In our threat bulletin Hybrid Warfare Evolves: Iranian Drone Strikes Impact AWS Infrastructure we noted Iran’s hybrid warfare strategy leveraging drone attacks to target multiple AWS data centers in the region. Now Iran seems to be leveraging Electronic Warfare methods to disrupt maritime navigation, particularly around the Strait of Hormuz.
The increasing reliance on electronic warfare and hybrid disruption methods may also reflect the current state of Iran’s cyber capabilities. Recent US and Israeli strikes reportedly targeted elements of Iran’s cyber infrastructure and command hierarchy, potentially degrading the operational capacity of several state-aligned cyber units. If these capabilities have been temporarily disrupted, spectrum-based tactics such as Global Navigation Satellite Systems (GNSS) spoofing and maritime signaling offer an immediate alternative for exerting pressure in the region without requiring complex cyber infrastructure. At the same time, such activity could function as a diversionary layer of hybrid operations while Iranian cyber operators rebuild infrastructure and prepare for potential retaliatory cyber campaigns.
Electronic Warfare Activity Disrupting Maritime Navigation
Over the past several days, maritime intelligence platforms and commercial vessel tracking services have documented unusual navigation anomalies across the Persian Gulf and Gulf of Oman. Ships have reported GPS positions drifting in circular patterns, jumping to inland locations, or appearing simultaneously in multiple locations on automated identification system (AIS) feeds.
These effects are consistent with GNSS spoofing, an electronic warfare technique in which transmitters broadcast counterfeit satellite signals that cause navigation systems to calculate incorrect positions. When conducted at scale, spoofing can disrupt situational awareness across ships, surveillance systems, and maritime monitoring networks simultaneously.
Because modern maritime navigation integrates GPS data with AIS transponders and onboard autopilot systems, manipulation of satellite signals can propagate errors across global shipping telemetry platforms. This produces not only navigational uncertainty for crews but also degraded tracking data for governments, intelligence analysts, and commercial shipping operators.
Analysts have identified clusters of affected vessels near key Iranian naval infrastructure, suggesting that spoofing transmitters may be operating from coastal electronic warfare sites or mobile platforms associated with the Islamic Revolutionary Guard Corps (IRGC).
Maritime Telemetry and Data Integrity Risks
Modern maritime tracking platforms rely on automated identification system (AIS) broadcasts combined with satellite navigation data. When GNSS spoofing manipulates vessel positions, those incorrect coordinates propagate across global tracking networks used by governments, shipping companies, insurers, and intelligence analysts.
This effectively creates a data integrity attack against maritime telemetry, where corrupted positional information spreads through logistics platforms and situational awareness systems. From a cyber perspective, this demonstrates how electronic warfare can indirectly compromise digital infrastructure by poisoning trusted data sources rather than directly breaching networks.
Radio Warnings and Maritime Signaling
The navigation anomalies have occurred alongside reports of radio warnings broadcast to ships transiting the Strait of Hormuz. These messages, transmitted via VHF Channel 16 and maritime HF bands, reportedly advise vessels to avoid certain areas or acknowledge Iranian naval authority in nearby waters.
While these warnings do not constitute a formal blockade, their combination with navigation interference creates a gray-zone control environment. Ships experiencing GPS irregularities may be more likely to comply with radio instructions, particularly if crews believe military forces are actively controlling traffic in the area.
Electronic warfare activity can also generate intelligence collection opportunities. Ships encountering navigation problems often increase communications with nearby vessels, port authorities, or naval forces to confirm their position or request guidance. These transmissions can expose vessel identities, cargo information, and communication protocols that might otherwise remain concealed. For coastal surveillance networks, such disruptions can therefore function as both a denial tactic and a reconnaissance tool.
Strategic Significance of the Strait of Hormuz
The Strait of Hormuz remains one of the most critical chokepoints in global trade. Approximately one-fifth of the world’s seaborne oil supply transits the narrow waterway each day, connecting Persian Gulf energy exporters to international markets.
Even limited disruptions to shipping in the strait can have outsized economic consequences. Navigation uncertainty increases insurance premiums, slows tanker traffic, and may cause shipping companies to reroute vessels or delay voyages. These effects can ripple through global energy markets without the need for direct military confrontation.
Similar GNSS spoofing patterns have previously been observed in other contested maritime environments, including the Black Sea and Eastern Mediterranean, where vessels reported positions shifting inland or moving in circular patterns near military installations. These events demonstrated how spoofing transmitters can create navigation denial zones around strategic facilities without physically obstructing shipping lanes.
Maritime Reconnaissance Through Disruption
Navigation interference may also serve a reconnaissance function beyond simple disruption. When ships experience GPS anomalies, crews frequently attempt to verify their position using additional communication channels or maritime reporting systems. As noted above, these interactions can expose operational data such as vessel routing, cargo information, and communications equipment characteristics.
For coastal surveillance networks, this increased radio traffic can provide valuable signals intelligence and maritime awareness. In this sense, GNSS spoofing may function simultaneously as a denial tactic and a mechanism for expanding visibility into commercial and military vessel movements in the region.
Attribution and Operational Context
Although widespread GNSS anomalies strongly suggest deliberate electronic warfare activity, definitive attribution remains challenging due to the complex operational environment in the Persian Gulf. Multiple military forces currently operate in and around the Strait of Hormuz, including regional naval forces as well as US and allied maritime patrol assets. In such environments, overlapping electronic interference can complicate efforts to identify the origin of spoofing signals.
Several indicators nonetheless point toward Iranian involvement. Reports of navigation anomalies have coincided with radio warnings transmitted to vessels via maritime VHF and high-frequency channels attributed to the Islamic Revolutionary Guard Corps, advising ships to avoid certain areas or acknowledge Iranian authority over nearby waters. The geographic clustering of affected vessels near Iranian coastal infrastructure further suggests the presence of shore-based electronic warfare transmitters or mobile spectrum systems associated with Iranian naval units.
Iran has historically invested in electronic warfare capabilities designed to disrupt satellite navigation and radar systems in the Gulf region. These capabilities form part of a broader asymmetric strategy intended to complicate military operations and exert influence over maritime traffic in contested waterways.
At the same time, the presence of multiple technologically advanced militaries in the region means attribution cannot yet be considered definitive. The United States and Israel both possess sophisticated electronic warfare capabilities and have previously employed GPS interference or navigation restrictions in active conflict zones. However, large-scale spoofing affecting commercial shipping corridors would run counter to their stated objective of maintaining safe transit through the Strait.
Given the available indicators, maritime analysts currently assess that Iranian electronic warfare activity is the most plausible explanation for much of the observed navigation interference. However, the possibility of overlapping interference from multiple actors cannot be entirely ruled out.
Cyber and Intelligence Implications
Electronic warfare activity targeting maritime navigation in the Persian Gulf may represent an early stage of a broader hybrid retaliation strategy. By interfering with satellite navigation and maritime communications, Iran can introduce operational uncertainty into one of the world’s most critical shipping corridors while avoiding actions that would clearly constitute a blockade or direct military escalation.
These tactics also create opportunities for intelligence collection and economic pressure, particularly given the Strait’s central role in global energy supply chains. If Iran’s domestic network disruptions continue to constrain large-scale cyber operations, spectrum-based disruption may remain an attractive tool for exerting influence while maintaining plausible deniability. This shift toward electronic warfare may therefore represent both an operational necessity and a strategic bridge while Iranian cyber units restore command infrastructure and operational capacity following recent strikes.
Over time, such activity could evolve into a broader campaign combining electronic warfare, cyber intrusions, and proxy operations targeting regional infrastructure and logistics networks. Such hybrid layering has historically been a hallmark of Iranian asymmetric strategy, where cyber operations, proxy activity, and information warfare are deployed sequentially or in parallel to complicate attribution and dilute the perceived threshold of escalation.
The current pattern of GPS spoofing and maritime radio signaling underscores Iran’s continued reliance on hybrid and asymmetric tactics during periods of heightened conflict. By exploiting vulnerabilities in satellite navigation systems and maritime communications, Iran can introduce uncertainty into global shipping lanes while staying below the threshold of overt military escalation. Continued expansion of GNSS interference or maritime radio warnings would likely indicate a sustained Iranian effort to exert influence over the Strait without escalating to direct military confrontation.
Potential Indicators of Escalating Iranian Cyber Operations
Although Iran is known for sophisticated cyber operations conducted by groups such as APT33, APT34, and MuddyWater, the current activity suggests a heavier reliance on electronic warfare capabilities.
Recent reporting indicates that Iran’s domestic internet infrastructure has been significantly degraded following recent strikes and internal shutdown measures, leaving the country operating with only a fraction of its normal connectivity. Large-scale cyber operations typically require stable network access for command-and-control infrastructure and data exfiltration. In contrast, electronic warfare systems operate independently of internet connectivity and can be activated immediately. As a result, Iran may be temporarily shifting toward spectrum-based disruption while its cyber infrastructure stabilizes.
While cyber activity linked to Iran and its proxies has so far been limited primarily to hacktivist campaigns and low-level disruption, several indicators could signal preparations for a more significant escalation in Iranian cyber operations. Historically, major Iranian cyber campaigns have been preceded by observable changes in infrastructure, malware development, and targeting behavior.
One key indicator would be the rapid activation of infrastructure associated with Iranian APT groups. Operators linked to groups such as APT33, APT34, APT35, and MuddyWater have historically staged campaigns through newly registered domains, C2 servers, and phishing infrastructure weeks before operations begin. Clusters of domain registrations, new virtual private server deployments, or the reuse of previously identified infrastructure patterns have frequently preceded Iranian cyber operations targeting energy companies, government agencies, and regional critical infrastructure.
A second indicator would involve the emergence or testing of destructive malware. Iranian operators have previously deployed wiper malware such as Shamoon, ZeroCleare, and Apostle in campaigns targeting organizations in the Middle East. Prior to deployment, security researchers often detect modified variants of these malware families in sandbox environments or malware repositories. New destructive payloads, particularly those targeting domain controllers or enterprise file systems, could indicate preparations for disruptive cyber operations.
Finally, increased reconnaissance or credential harvesting targeting industrial environments would represent a significant escalation indicator. Iranian cyber actors have previously targeted industrial networks associated with oil, gas, and maritime infrastructure. Activity involving spear-phishing campaigns targeting engineers, attempts to access operational technology networks, or credential harvesting against industrial control systems could suggest attempts to establish access to critical infrastructure for potential disruptive operations.
The simultaneous appearance of these indicators: APT infrastructure activation, new destructive malware testing, and increased targeting of industrial environments, would likely signal preparations for a larger Iranian cyber campaign. PolySwarm analysts continue to monitor the evolving situation for developments that may impact the global cyber threat landscape.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
