On Wednesday, June 23, 2021, news began circulating of warning shots being fired at a Royal Navy warship. The claim was that Russia had fired the warning as the warship neared the Crimean Peninsula. The Russian defense agency went on to claim that a warplane dropped four bombs in the path of the HMS Defender. At first, it seemed as though the UK may have sailed too close to one of Russia’s largest naval bases. The UK Ministry of Defense denied any claims that warning shots had even been fired. Soon, analysts began piecing together a weird series of events that pointed more toward AIS spoofing and mis/disinformation.
Already there have been a few in-depth writeups about what may have transpired with the HMS Defender, see here for a great example. To avoid rehashing events that have already been analyzed, I wanted to go into further detail on what exactly AIS spoofing is and why it could be used as a tactic in this situation.
What is AIS?
AIS or Automatic Identification System is a transceiver-based tracking system located on a ship that is generally used for collision avoidance or emergencies. S-AIS is a similar method of tracking AIS signatures but is done by satellite. If you have a familiarity with plane tracking, it works much the same as the ADS-B.
AIS transmits things like vessel name, speed, course, position, and can be integrated with a GPS. For International ships weighing over 300 gross tons and all passenger ships, AIS is now required by the International Maritime Organization (IMO). Global AIS data is highly valuable for a Maritime OSINT analyst as this data allows for teal-time vessel tracking as well as archiving of historical paths. When this data is layered with AI it is possible to predict things such as risk ahead of time and save shipping companies from the headache of another Evergiven situation.
Where can I see AIS data?
This is tricky, partial AIS data is available for free from companies like MarineTraffic and VesselFinder. If you need more detailed events like historical paths, reflags, and draught you are required to purchase an account. Luckily, if you just want to see ships in real-time and don’t require an in-depth analysis it is not a problem.
The Dark Side of AIS
The ocean is vast and when performing Maritime OSINT you quickly realize that there is an abundance of incredibly shady things happening out in the ocean. Illegal transport of weapons, sanctioned cargo, human trafficking, drug trafficking, illegal fishing… just to name a few. When carrying out these types of illicit activities by ship it would be defeatist to broadcast exactly who you are and where you are going so in order to get around this, people tamper with the AIS onboard or “spoof” it. To make this a bit more clear, here are a few examples:
Example 1: You are piloting an Venezuelan oil tanker sanctioned by the United States government. In order to deliver oil and evade sanctions you go into the AIS and switch your flag information to something innocuous like Panama. The ship now appears to be a Panamanian ship but is still broadcasting the IMO number and MMSI of the Venezuelan ship. IMO and MMSI are vessel Identification numbers kind of like a VIN and license plate. Within the AIS you switch your IMO and your MMSI to something random. Now on the AIS, you will appear as a completely different ship to those around you.
Example 2: Using the same sanctioned oil scenario as above you can instead just turn off the AIS or “go dark.” This offers some level of deniability because going dark might also mean the AIS was broken. Now you fulfill your destiny and when you finish your illicit activities you turn the AIS back on and your journey was not logged.
Example 3: Continuing with the same scenario, this time instead of changing the ship IMO and MMSI randomly, you change it to match a vessel in a completely different area. Effectively, you assume their identity while transporting your illegal shipment and then switch the IMO and MMSI back upon your return.
- Note: Dark AIS does NOT always equal illicit activity. Dark AIS could be seen if the system is malfunctioning and therefore we need to verify activity based on multiple sources.
And finally, we arrive at the HMS Defender:
Now that we have run through how AIS works, let’s jump back to our scenario with the HMS Defender. Using social media, we can recreate and walkthrough the events to see how effective the AIS tampering was.
June 23, 2021: The news began to report Russia’s claims of chasing the HMS Defender away from Crimea with warning shots and bombs in its path.
This report was quickly followed up by the UK Ministry of Defence claiming no shots had been fired at the HMS Defender. At this time, we are left wondering if this is Russia disinformation or is the UK trying to make it appear that nothing happened?
According to AIS, the ships left Odessa and sailed to Sevastopol near the harbor entrance and close to the Russian Black Sea Fleet. Speculation begins to build and reports on Twitter from accounts like @covertshores show live webcam footage of HMS Defender in port in Odessa at the time of the incident.
So why is this significant?
Postioning US warships outside of the Sevastopol harbor would be seen as a posturing move. The HMS Defender was reported to be using its IMO 4907878 while simultaneously positioned within Odessa’s port as shown by live youtube broadcasts and sites like Windy.com. This indicates some type of AIS spoofing, although the method has yet to be determined. Spoofing AIS is not necessarily new but this situation illustrates an interesting development in mis/disinformation. Much like deep fakes, AIS spoofing takes something the general public believes they can trust and makes it unreliable. This type of manipulation could have deep and lasting effects when dealing with international events.