Unmasking Ghost Tankers: How OSINT and SAR Imagery Expose Illicit Maritime Trade

TLDR: This research demonstrates how to track sanctioned oil shipments by correlating AIS transponder data with Synthetic Aperture Radar (SAR) imagery. By identifying 'ghost tankers' that go dark to perform ship-to-ship transfers, researchers can prove illicit activity using publicly available data. The talk also details how attackers exploit weak access controls in terminal management systems to gain operational intelligence.

Maritime logistics security is often treated as a black box, but the reality is that the entire industry relies on a fragile, transparent infrastructure that is ripe for exploitation. When a vessel wants to move sanctioned cargo, it does not simply vanish. It relies on a combination of technical deception and human error. The recent research presented at DEF CON 2025 provides a masterclass in how to fuse disparate data sources to track these movements, proving that even the most sophisticated evasion techniques leave a digital trail for anyone willing to look.

The Mechanics of Maritime Deception

The primary mechanism for tracking vessels is the Automatic Identification System (AIS), a broadcast protocol that transmits a ship's identity, position, and course. Because AIS is unencrypted and lacks authentication, it is trivial to spoof or simply disable. When a vessel enters a high-risk zone or approaches another ship for an illicit transfer, it often goes dark by turning off its transponder.

This is where the research shifts from basic tracking to advanced correlation. By using Sentinel-1 SAR imagery, researchers can confirm the physical presence of a vessel regardless of weather or lighting conditions. If an AIS track stops abruptly and a SAR image shows two vessels in close proximity at that exact coordinate, you have definitive evidence of a ship-to-ship transfer. This fusion of data turns a simple signal outage into a smoking gun.

Exploiting Terminal Management Systems

Beyond tracking, the research highlights how attackers gain deeper intelligence by targeting the systems that manage port operations. These platforms, such as those used for terminal management, often suffer from Broken Access Control and Identification and Authentication Failures.

During the presentation, the researchers demonstrated the exploitation of CVE-2025-5887, a vulnerability that allows unauthorized access to sensitive terminal data. By leveraging leaked credentials found on the dark web, an attacker can pivot from simple reconnaissance to full system access. Once inside, they can pull crew manifests, vessel schedules, and even internal email communications.

For a pentester, this is a reminder that the most valuable data is rarely sitting behind a complex exploit chain. It is often sitting behind a login page that is protected by nothing more than a weak password or a misconfigured session token. If you are testing an organization in the logistics sector, your focus should be on the intersection of their public-facing portals and the internal data they expose.

The Power of Fused Intelligence

The methodology presented relies on a five-step intelligence cycle: collect, process, correlate, analyze, and disseminate. While tools like MarineTraffic or Starboard provide the raw data, the real value comes from the human analyst who can interpret the anomalies.

Consider the following workflow for a researcher investigating a suspicious vessel:

# Example of querying vessel identity against public registries
curl -X GET "https://api.equasis.org/vessel?imo=9178605" -H "Authorization: Bearer <TOKEN>"

# Correlating AIS gaps with known sanctioned zones
# Look for vessels that disable AIS within 5 nautical miles of a transfer point
./ais_analyzer --input logs.csv --filter "status=dark" --proximity 5nm

This is not about finding a zero-day exploit in a satellite. It is about understanding the operational security failures of the target. When a vessel uses a stolen identity from a scrapped ship to mask its movements, it creates a discrepancy in the registry. When that same vessel disables its AIS transponder, it creates a gap in the signal. When you combine these two facts, the deception becomes obvious.

Defensive Realities

Defending against this level of intelligence gathering is difficult because the data is largely public. However, organizations can significantly raise the cost of an attack by implementing strict multi-factor authentication on all terminal management systems and monitoring for anomalous login patterns. If your organization operates in the maritime space, you must assume that your vessel movements are being tracked. The goal is to ensure that your internal systems are not providing the context that turns a suspicious track into a confirmed illicit operation.

The most effective way to approach this as a researcher is to stop looking for a single vulnerability and start looking for the narrative. The technical details are just the supporting evidence for a larger story of operational failure. Whether you are hunting for bugs in a terminal portal or tracking a ghost tanker across the Indian Ocean, the process remains the same: gather the data, find the discrepancy, and follow the trail until the invisible becomes visible.