More than a hundred warships from as many as 14 nations may have had their locations faked on a global tracking system used to monitor maritime activity and help prevent collisions. The spoofing seems to be happening, but who’s behind it and why?
The potential for international incidents
On June 18 of this year, a system used to track the locations of vessels on the open ocean showed two NATO warships steam out of port in Odessa, Ukraine near midnight, under cover of darkness. The two ships, one British Destroyer and one Frigate from the Royal Netherlands, set course through the Black Sea to Sevastopol, the strategic headquarters of Russia’s Black Sea fleet.
Before long, the HMS Defender and HNLMS Evertsen had closed to within just two nautical miles of the Russian port, in what seemed like one of the most brazenly aggressive acts taken by NATO warships in recent memory. Parking so close to the epicenter of Russia’s military might in the region would almost certainly prompt a response. Indeed, later that same week, Russian warships would claim to fire warning shots at the very same British destroyer in the very same region.
Sending these ships so close to a Russian Navy base could have resulted in an even more aggressive response from Putin’s forces than warning shots. There was just one thing stopping them…
The HMS Defender and HNLMS Evertsen never actually left port.
At the time, this spoofing of the Automatic Identification System (AIS) was reported in the news, but the story quickly slipped back beneath the surf as other, more pressing, stories reached the news cycle. Soon, most had forgotten about the unusual signals seemingly sending a NATO ghost fleet straight into the heart of Russia’s regional defenses. That is, until July 29, when a joint analysis from the non-profit SkyTruth and Global Fishing Watch was released showing that this was no fluke, nor was it an accident.
In fact, they claimed to have discovered a trend of over 100 warships flagged from at least 14 different nations that have had their locations “spoofed” or faked since August of 2020. Many of these ships are European and American, but not all. In fact, at least two have been from the Russian Navy. More pressing, these fake signals often show these warships entering contested waterways or the sovereign territory of other nations.
“Analysis of tracking data from Automatic Identification System broadcasts reveals vessel locations have been simulated for a number of ships, including military vessels,” the report reads.
“This false information could compromise vessel safety, decrease confidence in a crucial collision avoidance system and potentially spark international conflict.“
Faking the location of an entire carrier strike group
Last September, the Royal Navy’s new flagship, the carrier HMS Queen Elizabeth, was shown on the same Automatic Identification System sailing alongside a bevy of warships from allied nations the Netherlands and Belgium. The carrier strike group, comprised of six total vessels, could be seen clearly on the publicly available tracking information heading for the Irish Sea.
But satellite imagery of their location on that day, at that time, shows nothing but waves and surf: no ships, no crews, nothing but water.
The ships being tracked by the AIS alongside the British carrier were:
- HMS Duncan
- HMS Albion
- Dutch HNLMS Rotterdam
- HNLMS Johan de Witt
- Belgian BNS Leopold I
As you might now expect, that fleet and their entire voyage also never existed.
“This flotilla of massive warships should have made quite a striking picture on Sentinel-2 satellite imagery. However, the image coinciding with the AIS transit dates, seen below, shows none of the six naval vessels. Furthermore, several publicly posted photos and news articles show that these vessels were in port elsewhere at the time,” SkyTruth’s report goes on.
The Automatic Identification System
The system being spoofed, called the Automatic Identification System (AIS), is an automatic tracking system that pulls data from transceivers installed in every ocean-going vessel. The data is collected by satellites overhead and aggregated for use in maritime safety efforts (to avoid collisions) and increasingly, to identify vessels that are violating international sanctions and the like. While this system isn’t the primary means of preventing a collision onboard most ships (collision avoidance radar fills that role), this data is widely leveraged for everything from logistics to criminal investigations.
But it would seem that someone has found a way to fool this system into seeing ships that aren’t there, even fabricating entire voyages. Bjorn Bergman, a data analyst with SkyTruth and Global Fishing Watch, first identified nine Swedish naval vessels sailing south of Karlskrona that weren’t really there on February 4 and 5 of 2021. As he poured over the data, he found an unusual pattern in the code, so he used it to create a search query to identify any other potential fakes out on the seven seas.
“The results were alarming. Nearly a hundred U.S. and European naval vessels had track segments with the same AIS pattern as the false tracks of the Swedish navy ships near Karlskrona,” he wrote.
“Over the past few months I dug into this data using all available sources to confirm vessel locations and identities. I confirmed false AIS positions for 15 navy vessels from seven countries, with many more vessels suspected of having fabricated positions.”
The nations with apparently faked warship positions include:
- United States
- The Netherlands
Bergman used publicly available images of the ships, satellite imagery, and even formal confirmation from national navies to determine the actual location of the confirmed fakes, but confirming them all is difficult. Some ships don’t have many photos taken of them in port, or the suspected fakes are beneath a thick layer of cloud cover satellites can’t see past.
With more than a hundred potential “ghost ships” shown in AIS in recent months, Bergman has yet to find a single one with the unusual code pattern that he can prove was actually there.
It’s important to note that warships are known to turn off their AIS transponders, which makes locating them more difficult, but until recently, no one had ever spotted fake transmissions before.
Who would fake warship positions and why?
Because the majority of faked ship signals seem to be from NATO nations, often showing them behave aggressively toward Russia, the inclination is to assume that Russia has a had in this effort. After all, Russia is perhaps best known in the 21st century as a Grey Zone power, often leveraging cyber campaigns and hacking to achieve their geopolitical aims.
“Confirmed and suspected false AIS segments show incursions by 11 North Atlantic Treaty Organization (NATO) and NATO allied warships into Russian territorial waters near Kaliningrad and Murmansk as well as within the disputed territorial waters around Crimea in the Black Sea,” the report states.
If indeed Russian in origin, the effort could be aimed at presenting NATO nations as aggressive, bolstering Russia’s repeated claims that accusations about the nation’s aggressive behavior, including attempted assassinations on foreign soil and the military annexation of Crimea in 2014, are more about international bullying than Russia violating international norms.
Russia has long relied on an information operation strategy known as Reflexive Control, wherein they flood the media (and now social media) with conflicting information and intentional disinformation all aimed at driving the recipient to an intended conclusion that they feel as though they arrived at organically. Russian efforts to manipulate the 2016 presidential election, as one example, has become a controversial subject in American politics, with many Republicans often downplaying Russia’s meddling and many Democrats presenting it as nothing short of a foreign-backed insurrection. The truth, however, was that Russia’s aim was less about putting Trump in the White House and more about diminishing the American public’s faith in its electoral process and government as a whole.
In that regard, one could argue that their Reflexive Control strategy was a rousing success.
The AIS system isn’t so heavily relied upon that these ghost readings could spark a war, but they are so widely leveraged that they could almost certainly be used to substantiate aggressive behavior in response to what appears to be a Naval incursion. In other words, these ghost readings could be about painting Russia as the victim of international prodding.
“We are aware of manipulation of AIS tracking data placing Carrier Strike Group vessels in areas where they were not,” a spokesperson for the UK Ministry of Defence told WIRED.
“There was no operational impact on any of the vessels, but AIS is the commercial global safety system for all marine traffic. Any manipulation could result in a serious incident.”
However, at least two Russian ships also seem to have been spoofed in the past year. That doesn’t eliminate Russia as a possibility, but it does muddy the proverbial waters.
It’s not over: The USS Roosevelt was spoofed on July 15
We’re not talking about an isolated incident, but rather an ongoing situation. As recently as July 15, the USS Roosevelt, an Arleigh Burke-class guided-missile destroyer, was shown on AIS to be sailing into Russian territorial waters near Norway while the vessel itself was actually hundreds of miles away training with members of Norway’s Navy.
Thus far, there hasn’t been third-party confirmation of Skytruth’s analysis, and Bergman has not released the tell-tale pattern in the code he’s identified, citing concerns that the perpetrator or perpetrators will adjust their approach to eliminate his ability to track them.
So for now, at least, these digital ghost ships remain a pressing mystery–and perhaps even an international incident waiting to happen.