Anubis Ransomware Group’s Attack on Adriatic Port Authority Signals Urgent Threat to Maritime Infrastructure
In a significant cybersecurity incident, the Anubis ransomware group has launched a targeted attack against the Adriatic Port Authority, serving as a stark warning regarding vulnerabilities in maritime infrastructure. This incident has raised alarming concerns about the resilience of port authorities and their ability to fend off advanced cyber threats.
A recent analysis by Resecurity, a prominent threat intelligence firm, provides insights into the nature and implications of this attack. The investigation, published on June 11, revealed that the Anubis group officially listed the Adriatic Port Authority on its data leak site, a move that serves both as a threat to the authority and as a rallying point for others in the industry.
The Adriatic Port Authority, which manages the Italian port of Ancona, has indicated that the breach occurred on December 11, 2025, a detail it made public in January 2026 when Anubis claimed responsibility for the attack and began leaking sensitive data. Although the authority has assessed the data loss at approximately 2% of its total information, they noted that backup systems preserved the majority of data. However, the stolen information did include some sensitive employee records that have since surfaced on the dark web.
Resecurity’s findings suggest that the ramifications of the attack were far-reaching. The firm documented disrupted operations, rerouted shipping vessels, and revealed a staggering ransom demand of $10 million in Bitcoin. These disruptions might have long-term implications for the function and efficiency of the port, which is critical for maritime trade.
Sensitive information compromised in the attack included not only contracts and employee records but also vital port safety plans and security operation details—data that is particularly valuable to criminal organizations involved in smuggling and insider threats. This illustrates a critical breach in security protocols that could potentially facilitate further illicit activities.
To gain entry, the attackers reportedly utilized a spear-phishing email directed at employees of the company managing the port’s logistics. Following this initial breach, the group was able to move laterally across the network to access core system functionalities without targeting operational technologies. This approach highlights a troubling trend where even established IT defenses can be circumvented through weaknesses in user management and cloud administration.
The Anubis group itself has gained notoriety since its emergence in December 2024. They introduced an affiliate program in February 2025, adopting a ransomware-as-a-service (RaaS) model that enables other cybercriminals to deploy their toolkit. This structure allows affiliates to retain 80% of the revenue generated from ransomware deployments, 60% from data extortion, and 50% for brokers facilitating initial access. The group has reported earnings surpassing $20 million, primarily from victims across various sectors, including healthcare, construction, and engineering.
Resecurity’s analysis has connected Anubis with widespread exploitation of internet-facing systems, often capitalizing on known, unpatched vulnerabilities across various platforms. Key vulnerabilities exploited included a lack of multi-factor authentication in SonicWall VPNs, flaws in SolarWinds Web Help Desk systems, and vulnerabilities in Cisco SSL VPNs, among others. These oversights paint a concerning picture of organizations’ cyber hygiene, particularly in an era where cyber threats are increasingly sophisticated.
The ramifications of such attacks extend beyond the Adriatic Port Authority, with Resecurity noting a trend of ransomware incidents affecting ports worldwide, including the notable cases involving Maersk and Japan’s Nagoya Port. These instances collectively underscore an urgent need for enhanced cybersecurity measures across the maritime sector.
As digitalization continues to expand the attack surface for port authorities, industry experts warn that poor IT infrastructures and low cyber maturity create an intensified risk landscape within maritime security that is likely to worsen leading up to 2030. The attack by Anubis serves not merely as a singular event but as a harbinger of the evolving threats faced by critical infrastructure in the maritime industry, necessitating immediate and robust responses to fortify defenses against future cyber incursions.