Adriatic Port Cyberattack Raises Maritime Security Alarms
▼ Summary
– The Anubis ransomware group attacked the Adriatic Port Authority, which runs the Italian port of Ancona, leaking data including contracts, employee records, and port safety plans.
– The port authority reported the December 2025 breach resulted in about 2% data loss, with backups preserving most data, though employee records appeared on the dark web.
– Threat intelligence firm Resecurity described crippled operations, rerouted vessels, and a $10 million Bitcoin ransom demand, with attackers gaining access via spear-phishing and exploiting IT weaknesses.
– Anubis, unrelated to the Android banking malware, operates a ransomware-as-a-service model offering affiliates up to 80% of ransom payments and has earned over $20 million.
– Resecurity warned that outdated port IT and low cyber maturity leave maritime infrastructure vulnerable, with ransomware attacks on ports expected to increase through 2030.
A cyberattack on a major Italian port authority by the Anubis ransomware group has sent shockwaves through the maritime industry, serving as a stark warning about the vulnerabilities in critical port infrastructure.
On June 11, threat intelligence firm Resecurity released a detailed analysis of the incident, which saw Anubis list the Adriatic Port Authority (Autorità di Sistema Portuale del Mare Adriatico Centrale) on its dark web data leak site. The authority, which oversees the port of Ancona, confirmed the breach originated on December 11, 2025, and was attributed to Anubis in January 2026, when the group publicly claimed responsibility and leaked sensitive data.
The port authority reported that approximately 2% of its data was compromised, with backups preserving the remainder. Officials described most of the stolen material as public or soon-to-be-public information, though employee records did surface on the dark web. Resecurity’s account painted a more alarming picture, detailing crippled operations, rerouted vessels, and a reported $10 million Bitcoin ransom demand.
The stolen data, according to Resecurity, included contracts, employee records, and, most critically, port safety plans and detailed security operations,the kind of intelligence prized by smuggling networks and those seeking to recruit insiders. The firm believes the attackers gained initial access through a spear-phishing email targeting staff at the company managing the port, then moved laterally to core systems. Notably, the attack did not target operational technology (OT); instead, it exploited IT weaknesses, including insecure cloud accounts managing Office 365 and Azure.
The Anubis Affiliate Machine
Anubis first emerged in December 2024 and launched an affiliate program in February 2025, renting out its toolkit through a ransomware-as-a-service (RaaS) model built around double extortion. Despite sharing a name, it is unrelated to the older Android banking malware. The group offers affiliates a generous cut: 80% for deploying ransomware, 60% for data extortion, and 50% for initial access brokers. This model, the group boasts, has earned more than $20 million, with victims spanning healthcare, construction, and engineering.
Resecurity linked Anubis to mass exploitation of internet-facing systems, often through known but unpatched vulnerabilities. Key vectors included SonicWall VPNs left without multi-factor authentication, SolarWinds Web Help Desk (CVE-2025-26399), Cisco SSL VPNs, and the CitrixBleed 2 flaw (CVE-2025-5777).
Beyond the port itself, Resecurity placed this attack within a broader pattern of ransomware hits on ports, from Maersk to Japan’s Nagoya. The firm warned that outdated port IT systems and thin cyber maturity leave the sector dangerously exposed as digitization widens the attack surface. This growing maritime security concern is expected to deepen through 2030.
(Source: Infosecurity Magazine)