Phantom Warships Are Courting Chaos in Conflict Zones Posted on 8/3/2021 at 15:08:53 by Will Croom 2
On September 17 last year, the largest ship in the UK's Royal Navy, the aircraft carrier HMS Queen Elizabeth, steamed majestically towards the Irish Sea. The 283-meter-long fleet flagship was flanked by an escort of destroyers and smaller ships from the UK, Dutch, and Belgian navies. The six vessels moving in close formation would have made an awe-inspiring spectacle—if they had actually been there.
In fact, satellite imagery of their supposed locations shows nothing but deep blue sea, and news reports suggest the warships were actually scattered in distant ports at the time. The Queen Elizabeth and its flotilla were previously unreported victims of a disturbing trend: warships having their positions—and even entire voyages—faked using the automatic identification system, a wireless radio technology designed to prevent collisions at sea.
According to analysis conducted by conservation technology nonprofit SkyTruth and Global Fishing Watch, over 100 warships from at least 14 European countries, Russia, and the US appear to have had their locations faked, sometimes for days at a time, since August 2020. Some of these tracks show the warships approaching foreign naval bases or intruding into disputed waters, activities that could escalate tension in hot spots like the Black Sea and the Baltic. Only a few of these fake tracks have previously been reported, and all share characteristics that suggest a common perpetrator.
By international law, all but the smallest commercial ships have to install AIS transponders. Using GPS data, these devices broadcast their identity, position, course, and speed to other ships in the area every few seconds, helping to keep crowded waterways safe. Military vessels are not obliged to broadcast AIS but many do when navigating busy ports—sometimes under assumed identities.
Although the range of these VHF radio signals is limited, a global network of public and private shore-based AIS receivers—and now fleets of orbiting satellites—also pick up AIS signals, which sites like MarineTraffic and AISHub then aggregate and make publicly available online. While fake data here does not directly threaten maritime safety—ships rely on their onboard systems rather than third-party sites—aggregated AIS data is now used for things like cargo tracking, search and rescue, monitoring environmental crimes, and identifying sanctions busters.
Bjorn Bergman is a data analyst working for SkyTruth and Global Fishing Watch who has been investigating fake AIS tracks for years, usually to uncover illegal fishing. In March this year, Bergman read a Swedish newspaper story in which the Swedish navy said the locations of nine of its vessels had been faked on MarineTraffic.
Bergman had noticed fake tracks on an AIS website before, when virtual yachts from an online sail racing game had improbably appeared on AISHub last year. But this was the first time he’d seen real ships impersonated, and warships no less.
“At SkyTruth, we’re particularly concerned where fake data is impacting fishing,” said Bergman in a video call interview. “But we want to understand generally how the data is being falsified and what we can do to detect and correct it.”
Bergman identified the nine warships from a screenshot in the story, then compared their fake AIS messages to genuine messages broadcast by the same vessels before and after the imposters. He noticed immediately that these were no amateur pranks or accidents. “The fake messages were very plausible, except that we had this confirmation from the Swedish navy that the positions were false,” he says.
Over 20 types of AIS message exist—some for supertankers, others for pleasure boaters—and each contains multiple data fields covering everything from navigational information to arcane communication settings. By closely comparing fields that are usually invisible to sailors, Bergman eventually found subtle differences between the fakes and the genuine data. He then used that pattern to write a query for a global historical database of AIS messages—and was shocked by the results.
His search found nearly a hundred sets of messages from multiple AIS data providers, going back as far as last September and spanning thousands of miles. More worrying still, the ships affected were almost exclusively military vessels from European and NATO countries, including at least two US nuclear submarines.
“It was alarming when I realized there were a lot of other vessels also showing this unusual AIS profile,” says Bergman. But he needed to know that the suspicious AIS messages were actually fake, not the result of a technical hiccup or a special military setting. Bergman spent the next few months laboriously verifying the actual positions of the targeted ships. At first, he used open source data including news reports, military press releases, and enthusiast websites like Warshipcam.com. “A lot of people like to take pictures of naval vessels and post them online,“ says Bergman. “I found examples where vessels were leaving or entering areas that seemed pretty impossible.”
Bergman then overlaid synthetic aperture radar and optical imagery from the European Space Agency’s Sentinel-1 and -2 satellites onto the suspicious AIS pings. If they were real, the AIS data should have matched up perfectly beneath a satellite image of the ship.
Instead, Bergman saw only empty ocean, time after time. In fact, he says, “I have not yet found an instance when a track flagged by the query as false turned out to be real.”
The stars did not always align for Bergman’s detective work. Some AIS tracks did not coincide with an ESA satellite overhead, or fell on cloudy days when optical images were useless. And some warships did not have a lot of Instagram fans. In the end, Bergman managed to confirm about 15 sets of AIS data as definitively fake.
As well as the Queen Elizabeth’s imaginary flotilla, Bergman found fake tracks of US, Dutch, Belgian, German, Lithuanian, Estonian, and other Swedish warships. One suspect track, not previously reported, shows the US guided missile destroyer USS Roosevelt steaming 4 kilometers into Russian territorial waters around Kaliningrad last November, a maneuver that would have been recklessly provocative if real. There appear to have been five other fake incursions near Kaliningrad in June. One involved a Polish warship following the exact same track, speed, and course as a Swedish corvette five days earlier, another indication for Bergman that the tracks are digitally generated.
In recent months, the faking activity appeared in the Black Sea for the first time. In June someone faked the AIS tracks of the UK destroyer HMS Defender and the Dutch frigate HNLMS Evertsen to show a direct approach to the Russian naval base at Sevastopol, near occupied Crimea—even while webcams showed them at dock in Odessa. And on July 2, Bergman’s query turned up another apparently fake incursion into Russian-claimed waters off Crimea, this time supposedly by the UK patrol vessel HMS Trent, accompanied by an Italian frigate and a Bulgarian corvette. He has yet to confirm these incidents using satellite imagery.
“We are aware of manipulation of AIS tracking data placing Carrier Strike Group vessels in areas where they were not,” a spokesperson for the UK Ministry of Defence told WIRED. “There was no operational impact on any of the vessels, but AIS is the commercial global safety system for all marine traffic. Any manipulation could result in a serious incident.” The US Navy did not immediately provide a comment.
Bergman has found no evidence directly linking the flood of fake AIS tracks to any country, organization, or individual. But they are consistent with Russian tactics, says Todd Humphreys, director of the Radionavigation Laboratory at the University of Texas at Austin. “While I can't say for sure who's doing this, the data fits a pattern of disinformation that our Russian friends are wont to engage in.”
Just two days after the HMS Defender had its AIS track faked, Russian forces allegedly fired warning shots at the destroyer during a transit close to the Crimean coast. “Imagine those shots hit their mark and Russia claimed to show that NATO ships were operating in their waters,” says Humphreys. “The West might cry foul, but as long as Russia can flood the system with enough disinformation, they can cause a situation where it's not clear their aggression was wrong. They love to operate in that kind of nebulous territory.”
One complication to that theory is that two Russian military ships recently also appeared in Bergman’s searches, showing them violating neighboring countries’ waters in turn. In June the patrol ship Pavel Derzhavin was shown within Ukrainian waters near Odessa, while the corvette Stoikiy supposedly sailed from Kaliningrad into Polish territory. Bergman believes that neither encroachment actually occurred.
Bergman is not making public the exact pattern that distinguishes the fake AIS messages, for fear that the attacker or attackers might modify them to be less detectable. He did tell WIRED that the fake tracks were all shown as coming from shore-based AIS receivers, with none collected by satellites. Given that real AIS signals from civilian ships near the supposed warship tracks were received by satellites overhead, Bergman believes this shows the fake AIS messages were not generated by actual malicious transmissions. Instead, he thinks they were created in AIS simulator software and then copied into the data stream feeding the AIS websites.
Paul Woods, cofounder and chief innovation officer of Global Fishing Watch, has seen Bergman’s work in detail, and he agrees with that theory. “That would be an easy way to have it show up in a whole bunch of systems that use AIS, because they're all buying from the same vendors,” he told WIRED.
“We are dedicated to making reliable, actionable information easily accessible” says Georgios Hatzimanolis, media strategist at MarineTraffic. “To ensure this, we are continuously enhancing our quality control and anomaly detection tools to pick up on such incidents.” For all the fake messages’ sophistication, Bergman remains confident that researchers and AIS websites can ultimately win out. “This is a solvable problem,” he says. “It can be picked out of the data with analysis. But we do need to be vigilant about using basic strategies to ensure that obviously false positions are not getting into a database.”
Todd Humphreys is less optimistic. “AIS is an unencrypted system that had its origins at a time when engineers were more naive,” he says. “We should work towards a way of adding digital signatures to each one of these messages as they go out. That would be my hope, because this is a major security breach.”
In the meantime, the phantom ships continue to sail. On July 15, Bergman’s query pinged once more. The USS Roosevelt seems to have been faked yet again, this time provocatively penetrating Russian waters near Norway. The destroyer was actually on a training exercise with Norwegian sailors, hundreds of miles away. Replies: There have been no replies.