Anticipating the Next Black Sea Shipping Crisis​

By Thea Dunlevie, Senior Analyst of the Center for Maritime Strategy

Original text was published here on June 27, 2023

Remember NotPetya, the most devastating cyberattack in human history?

The maritime industry must remember that this Russian cyberattack first proliferated throughout Europe’s maritime domain. One act of cyberwar quickly impacted 76 ports around the world and caused more than $10 billion dollars of damage worldwide.

Six years after NotPetya terrorized the global economy, and over one year since Russia invaded Ukraine, Black Sea allied port authorities exporting Ukrainian products are increasingly likely victims of cyberattacks orchestrated by Russian military entities or affiliates.

Russia’s ongoing strategic interests in the Black Sea, increasing limits on Russia’s ability to produce conventional capabilities, plus Russia’s past, disruptive, and successful cyberattacks against Ukraine make cyberattacks on allied Black Sea ports – including those of Romania, Bulgaria, and Ukraine – relatively attractive alternatives to conventional Black Sea strikes.

By initiating a cyberattack against an allied Black Sea port, Russia could pursue dominance in the Black Sea through maritime destabilization, effectively reordering regional civil and military operations, disrupting global shipping, and thwarting Ukraine’s export economy.

Information sharing among allies and partners will be key to deterring or remedying such Russian cyberattacks.

Interests and Points of Vulnerability in the Black Sea

For centuries, Russia has sought to warp the Black Sea balance of power for its own gain. Since Russia’s February 2022 invasion, destabilizing allied Black Sea military and commercial operations while maintaining Russian commercial shipping became a natural priority.

Russia enacted a naval blockade along Ukraine’s coastline; struck at least three commercial vessels with missiles; fired missiles upon Ukraine’s Black Sea port of Odesa (multiple times); attacked the Ukrainian port of Kherson and, most recently, the Port of Odessa, again.

Although the commercial shipping industry has somewhat adapted to these conditions, Russia’s aggression has created nearly unbearable security risks and exuberant maritime insurance rates for commercial vessels sailing through the Black Sea. And currently, Russia is leveraging the United Nations Black Sea Grain Initiative to slow down Ukrainian exports through the Black Sea.

The wartime burden of exporting Ukrainian products fell disproportionately to a handful of allied Black Sea ports. Ukrainian seaborne exports sail primarily from the Romanian port of Constanta, Bulgarian port of Varna, in addition to Ukrainian Danubian ports of Izmail, Reni, and Kiliia and the few Ukrainian ports protected by the tenuous United Nations Black Sea Grain Initiative, including Odessa, Chornomorsk, and Yuzhny/Pivdennyi.

These eight ports have been lifelines for the Ukrainian export economy. Therefore, they could be considered chokepoints and potential wartime targets by Russia given its ongoing willingness to compromise commercial and civilian maritime infrastructure.

Why Cyber?

Russia’s goals in the Black Sea – to reshape the Black Sea order and paralyze allied naval and commercial maneuvering while squeezing Ukraine’s economy – may soon be accomplished through non-kinetic means.

Several factors may increase the likelihood that Russia will target allied Black Sea ports with cyberattacks rather than missiles or other conventional capabilities:

Russian Cyberattacks Successfully Disrupt

Since Russia’s 2022 invasion, Russian cyberattacks have proven their capability to disrupt Ukrainian operations – civilian and military alike.

Senior NATO officials David Cattler and Daniel Black asserted last year that “cyber-operations have been Russia’s biggest military success to date in the war in Ukraine.”

Russia’s early 2022 ViaSat cyberattack against Ukraine, attributed by the United States to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (“GRU”), provides a recent example of how Russia stunned Ukrainian communications infrastructure to enhance its conventional invasion.

But an effective cyberattack does not need to cause disruption at the scale of ViaSat to be effective. Even “smaller,” targeted attacks can cause outsized effects.

Russia knows this, based on past operations, and could leverage cyberattacks for its political, economic, and military gain in the Black Sea.

Maritime Infrastructure is Vulnerable

Maritime infrastructure and vessels are already juicy targets of cyberattacks.

Between 2017 and 2020, cyberattacks against ships’ and ports’ informational technology (“IT”) and operational technology increased by 900%. Illustrating this uptick, a cybercriminal syndicate targeted the U.S. Port of Houston in 2021, following the infamous SolarWinds incident executed by Russian hackers. If a criminal syndicate could infiltrate the U.S.

Port of Houston’s systems, then it should not be surprising to expect that a Russian-state-sponsored entity could effectively target and compromise a Black Sea port’s electronic systems. In an era where “smart infrastructure” is pervasive within ports, maritime infrastructure’s attack surface expands, widening the door for cyber intrusions. While some have called for cybersecurity standardization across international ports, cybersecurity efforts remain decentralized. Black Sea ports are no exception.

Several European ports and maritime operators have already been victims of cyberattacks throughout the war. For example in February 2022, ransomware attacks caused the IT systems of 17 ports, operated by Oiltanking in Germany, SEA-Invest in Belgium, and Evos in the Netherlands, to go offline or experience disruptions. In March 2023, an unidentified hacker would disrupt operations through a malware attack targeting the Port of Antwerp-Bruges in Belgium, in addition to other Belgian and Dutch ports.

And just this month, Russian-affiliated hackers struck the Port of Rotterdam with distributed-denial-of-service attacks, which some believe is retaliation against the Netherlands’s plans to buy Ukraine Swiss tanks.

Black Sea ports must be considered at heightened risk for cyberattacks, given these ongoing incidents and demonstrations of hackers’ capabilities to disrupt maritime operations.

Ukraine’s Black Sea Allies are Targets

These eight allied Black Sea ports, specifically, must brace for Russian cyberattacks because they are particularly appealing targets for Russian military forces, or third-party affiliates, seeking to disrupt Ukrainian and allied Black Sea commerce at the source.

We may even expect attacks against Black Sea ports more “friendly” to Russia, like Bulgaria, if Russia employs a state-sponsored affiliate group which may decrease the chance of attribution.

Russia can then use these disruptions for its political, economic, and military leverage in the Black Sea, perhaps even to secure favorable export deals it has been pursuing. Russia has been testing the waters throughout the course of the war, by targeting maritime infrastructure, and continues to escalate wartime actions in the Black Sea.

The CyberPeace Institute categorizes the majority of Russia’s cyberattacks against Ukraine, to date, as “disruption” to important Ukrainian civilian and military systems.

Cyberattacks against ports could disrupt the flow of trade throughout the Black Sea, impacting Ukraine, allied exporting nations, and receiving nations in addition to causing logistical chaos within Black Sea.

These Black Sea ports operated by Ukraine, Romania, and Bulgaria are each managed individually and therefore – other than EU-wide regulations, such as the impending 2024 critical infrastructure regulations – will maintain decentralized cybersecurity defenses. This cyber environment may allow hackers to target greater numbers of vulnerabilities across these ports.

Russia needs Other Options

As Russia’s conventional capabilities become increasingly strained, we might expect the Russian military to employ less resource-intensive attacks, by conventional metrics.

While cyber-attacks are not necessarily less resource intensive, they require different resources than those currently impacted by sanctions, like optical systems, bearings, machine tools, engines, and microchips. Recent reporting and announcements from the Russian government reveal the Russian military’s struggle to produce new weaponry and ammunition. As an alternative, and as the Russian military has done before, Russia could enlist third parties to assist in cyberattacks, expanding potential capabilities, too.

Possible cyberattacks could take a variety of forms, including malware, ransomware, or wiper attacks which could distort, withhold, or delete critical data for facilitating Black Sea commerce from allied ports.

Especially ahead of Ukraine’s anticipated counter-offensive, it is reasonable to conclude Russia will be considering more resource-efficient ways to wage a war with no end in sight. Russian strategy continues to value the Black Sea in its war against Ukraine, and the cyber domain may become a preferred battlefield for Russia.


The consequences of a successful Russian cyberattack could be predictable at a high-level, if we recall the ViaSat or NotPetya incidents.

It could take many shapes, depending on the targets, and cause palpable disruptions even if the incident is resolved relatively quickly, in hours or days.

Malware spreads. Systems shut down. Cargo cannot be loaded or unloaded. Shipping stops or reroutes. Ships would further congest key transit routes, like the Bosphorus Straits, Kerch Strait, and the Danube Black Sea Canal.

Copy the international economic consequences of blockages in the Suez Canal or Panama Canal and paste them in the Black Sea. For context, blockage in the Suez Canal could cost global trade between $6 billion dollars to $10 billion dollars per week.

Countries could also potentially expect negative humanitarian consequences if Ukrainian agricultural exports destined for malnourished African or Middle Eastern countries are stalled for too long due to a cyberattack shutting down relevant maritime electronic systems.

Shipping routes near these Black Sea ports are already battling congestion, especially at the mouth of the Danube Delta and within the Bosphorus Straits, so additional strain caused by one or two port systems shutting down in the Black Sea could be market-moving.

The February 2022 ransomware attacks against European ports disrupted supply chains, rerouted oil tankers and caused congestion, and constricted product loading and unloading at ports until the ransomware breach was resolved.

We could expect similar fallout from a cyberattack against an allied Black Sea port which could prevent loading of Ukrainian grain onto vessels for export to Africa, for example, or increase regional congestion due to rerouting, indefinitely delaying exports.


Coordination among allies will be key to deterring and/or remedying Russian cyberattacks against Black Sea ports.

Black Sea port nations should consider an intelligence sharing model to improve cyber domain awareness and empower each port’s cyber defenses.

The Port of Los Angeles, which reportedly defends against 40 million cyberattack attempts each month, provides a model for intelligence sharing among its internal partners. It maintains a security operations center which diffuses threat information. The Port of Rotterdam is currently considering a similar model, after the 2022 cyberattacks on the Port of Antwerp-Bruges.

Some Black Sea countries, like Turkey, keep various cybersecurity intelligence sharing agreements with others, like Bulgaria and Ukraine, but these partnerships could be expanded to all allied Black Sea port nations.

Such agreements can facilitate intelligence sharing to strengthen cybersecurity defenses and to inform updated incident response plans, should cyberattacks occur.

Opportunities may be created for Black Sea nations to enter intelligence sharing partnerships with nations of European ports recently victimized by cyberattacks, such as the Port of Antwerp-Bruges and the Port of Rotterdam, to share cybersecurity best practices while they improve their own cyber resilience.

Additional cybersecurity measures are increasingly important for these Black Sea ports as Ukraine prepares to wage its counteroffensive, as the Russian economy squeezes, and as the Russian military struggles to produce conventional capabilities.

These factors increase the chance of an unconventional attack. Since and even before the war began, Russia has proven itself as a capable, equipped cyber adversary while continuing to demonstrate its unwavering interest in “securing” the Black Sea.

As the war continues, entities overseeing maritime infrastructure and commercial shipping vessels must remain on exceptionally high alert to Russian cyberattacks which could reshape the Black Sea order and rock the global economy.

* * *

This article has been prepared with the support of the European Union in Ukraine. The content of the article is the sole responsibility of the authors and does not necessarily reflect the position of the EU