Flags, Packets and False Identities: The Same Game Everywhere
Three ships sitting just 40 km away from Malmö. Not warships, not submarines, just cargo vessels that look ordinary unless you know what you're actually looking at.
JIN HUI, SEA OWL I, and CAFFA. All three are linked to Russia's shadow fleet. And all of them were intercepted by Swedish authorities at the beginning of March this year. Oil moved under sanctions, grain stolen from Ukraine, identities obscured behind flags of convenience, low-quality insurance to hide deficiencies in the vessels' security, and layered ownership designed to make accountability difficult. The CAFFA is now moored in Trelleborg, its crew arrested, and in a move that feels very familiar from a cybersecurity perspective, the vessel itself is being transferred to Ukraine. Not just stopped or destroyed, but taken over and reassigned. Like a malicious domain being seized and handed back to its rightful owner, turning a dangerous asset into something controlled.
If you don't know the history of these vessels, they would be nothing more than silhouettes on the horizon. That is what makes them effective.
War doesn't always look like war. It rarely announces itself clearly. Instead, it blends into our reality, into trade, logistics, and infrastructure. A tanker moving oil looks legitimate. A cargo vessel carrying grain looks expected. But context matters. The grain was stolen, and the oil bypassed international sanctions. Both activities feed into a system sustaining a broader conflict.
Cybersecurity works the same way. Most malicious traffic does not look malicious. It looks correct. Packets follow protocols, headers are well-formed, routing paths make sense. Everything appears compliant, but if you look inside, there can be something entirely different hiding in the payload. Data exfiltration, command instructions, or lateral movement embedded within otherwise normal traffic like DNS or HTTPS. Like a ship that passes every visual check while carrying cargo that should never be there.
Russia's shadow fleet, with more than 1.4k known vessels, behaves less like a traditional fleet and more like an advanced persistent threat. It is distributed, adaptive, and persistent. It operates under pressure, adjusts to sanctions, and finds new ways to continue functioning. Ships change flags, ownership is obscured, AIS (automatic identification system) signals are turned off to avoid tracking. Gaps in visibility are not mistakes; they are an integral part of the design.
In cyberspace, the patterns are identical. Attackers spoof data, alter information, rotate infrastructure, and move between providers. They heavily abuse legitimate services to blend in. They disable or tamper with logs. Becoming invisible is not possible, so they try to become indistinguishable from normal activity.
That difference matters. Hiding in plain sight does not mean disappearing. It means looking normal enough to not trigger suspicion.
Ships do not sail in isolation. They move among thousands of legitimate vessels, using the same routes and signals. The same applies to networks. Malicious traffic blends into billions of legitimate packets, using allowed ports, trusted services, and mimicking expected behavior.
This is why detection has moved from being purely IOC (indicators of compromise) based to behavior-based. It is not about spotting something obviously wrong, but about recognizing when something that looks right is actually utterly wrong. A valid AIS signal does not guarantee legitimate activity. A properly structured packet does not guarantee safety.
Authorities acted against these vessels with the same principle used in cyber defense: disrupt, not just observe. Sweden seized the ships, stopped their operations, and in the case of CAFFA, is transferring control to Ukraine. That goes beyond prevention. It removes the asset from the attacker and returns it to the victim.
In cybersecurity, this happens more quickly or even in parallel. Malicious domains are seized and redirected. Botnets are sinkholed. C2 servers are taken over or shut down. Sometimes traffic is rerouted to controlled environments to observe the attackers' behavior and extract intelligence before cutting it off. The objective is always the same: break operational capability and take away control.
Sanctions in the physical world act like access controls. They define what is allowed and what is blocked. The shadow fleet exists to bypass those controls through weak enforcement, gaps in the laws, and technical tricks like AIS shutdowns. Digital attacks behave the same way. They do not confront the strongest control directly; they find a path around it. Misconfigurations, bugs, allowed protocols, trusted relationships all can become entry points, without even needing sophisticated attacks.
Every system, be it physical, digital, or a blend of both, is only as strong as its weakest enforcement point. Whether it is your EDR not having the newest pattern detections based on intelligence work on previous attacks, your firewalls or VPNs not having the latest patches installed, or simply your employees not being aware of quishing attacks.
Detection in every domain relies on context. An AIS signal going dark might be technical failure, or it might be evasion. A vessel changing flags might be legitimate or part of a larger pattern. In cyber, one unusual login is noise, but repeated patterns across systems become a signal that needs to be investigated. Small, clean-looking packets might mean nothing individually, but together they can indicate exfiltration.
The challenge is rarely visibility, if your monitoring is properly set up, but understanding what you're seeing.
It is easy to think of both cyber threats and war as distant problems. Something happening elsewhere, out of your responsibility. But the vessel carrying stolen Ukrainian grain was only four Swedish miles away from Malmö. Close enough to see, close enough to matter. The infrastructure behind cyber attacks may feel abstract, but it is often just as close in practical terms. And even if you're thinking, why me, I am not a valuable target for hackers, you are. And that's why this matters.
Cybersecurity often focuses on tools. Firewalls, encryption, detection systems, and of course AI. They are important, but not fundamental. The core principles are much simpler, and the same in every domain that takes safety into account.
Deterrence, making actions harder and less profitable. Detection, recognizing when something deviates from expected behavior. Response, acting quickly to contain and disrupt.
A ship disables AIS to avoid detection. A threat actor disables logging. A vessel changes identity to bypass restrictions. An attacker rotates infrastructure to avoid bans. Authorities seize a ship and hand it back. Security teams seize domains and redirect them. Trade routes get interrupted. Data flows get filtered or modified.
One happens on water, the other in networks. Same principles, different domains.