Salty Seagull: A VSAT Honeynet to Follow the Bread Crumb of Attacks in Ship Networks

TL;DR

This paper introduces Salty Seagull, a specialized honeynet simulating a ship's VSAT system to study cyberattack behaviors in maritime networks, revealing limited attacker engagement over 30 days.

Contribution

The paper presents a novel maritime-specific honeynet that mimics VSAT systems, integrating vulnerabilities to attract and analyze cyber threats in the maritime industry.

Findings

Numerous generic attacks were attempted on the honeynet.

Only one attacker accessed the system with some knowledge of vulnerabilities.

The attacker did not fully exploit the honeynet's potential.

Abstract

Cyber threats against the maritime industry have increased notably in recent years, highlighting the need for innovative cybersecurity approaches. Ships, as critical assets, possess highly specialized and interconnected network infrastructures, where their legacy systems and operational constraints further exacerbate their vulnerability to cyberattacks. To better understand this evolving threat landscape, we propose the use of cyber-deception techniques and in particular honeynets, as a means to gather valuable insights into ongoing attack campaigns targeting the maritime sector. In this paper we present Salty Seagull, a honeynet conceived to simulate a VSAT system for ships. This environment mimics the operations of a functional VSAT system onboard and, at the same time, enables a user to interact with it through a Web dashboard and a CLI environment. Furthermore, based on existing vulnerabilities, we purposefully integrate them into our system to increase attacker engagement. We exposed our honeynet for 30 days to the Internet to assess its capability and measured the received interaction. Results show that while numerous generic attacks have been attempted, only one curious attacker with knowledge of the nature of the system and its vulnerabilities managed to access it, without however exploring its full potential.