The resignation of Lebanon’s president and his government have thrown the country into a political crisis. On August 26th, news reported that Iran would ship more fuel to Lebanon and said more vessels carrying Iranian fuel would sail soon. An Iranian sanctioned tanker, the FAXON, which recently operated in Venezuela, is, according to some reports, supposed to arrive in Lebanon – but hasn’t left yet. Our system revealed that the FAXON actually has begun its journey. So why would news outlets report differently? The FAXON’s identifiers are being transmitted by a decoy vessel to disguise the FAXON’s true location. In this blog, I’ll walk through just how we were able to detect this deceptive practice.
To keep up with increasingly sophisticated practices, simply detecting the presence or absence of an AIS transmission is not enough. When it comes to cases of identity manipulation, the more data, the better. In addition to leveraging strong behavioral analytics, satellite imagery can add important context and help confirm if the information transmitted via the AIS systems makes sense. For example, when looking at the FAXON, its satellite image at Khor Fakan on August 24th, matched a typical Handymax measurement of 176 meters. But on August 25th, the FAXON would transmit an AIS signal with a measurement of 330 meters.
On the 25th of August, the FAXON engaged in a ship-to-ship (STS) activity in the Iranian EEZ with a non-transmitting vessel. Our system detected the FAXON was drifting at a very slow speed – indicative of a STS meeting. Following this event, the FAXON arrived at Bander E Jask, and then it went dark. When it turned its AIS back on, the vessel transmitted its location as Bandar Siraf, 315 nautical miles away. But the FAXON was not actually there. Why? The size reported at transmission didn’t correspond to the original size of the FAXON, confirmed by satellite imaging. So unless it magically grew to 330 meters – the FAXON could not have been at Bander Siraf. This triggered our system to automatically flag the event for ID & Location Tampering. Where the vessel currently is is an open question mark. When looking at the positional data of the vessel in other data provider systems’, the vessel appears in Iran – with no red flags.
Leveraging the right tools
A change in vessel specifications is not inherently risky. However, by training a system that knows how to recognize identity and location manipulation, it becomes possible to contextualize AIS data and understand how it compares to the historical data of that vessel. Without the ability to detect cases like these, stakeholders are left blind. If the vessel isn’t in Bandar Siraf, then where is it? Did it part for Lebanon? Will it cross the Suez Canal, or like the GRACE 1, will it take the long route around? What activity is going undetected? Are there other vessels are doing the same thing? What operations could they be engaged in without you knowing? Leaving these questions unanswered can leave risk unaccounted for.
Windward goes beyond AIS and leverages multiple data sources to detect sophisticated deceptive practices. For example, with HawkEye 360’s RF signal layers and Planet satellite imagery, we can accurately validate and support anomaly detection and behavioral insights. When it comes to managing high-risk threats, this accuracy is mission-critical. Sanctioned vessels will always find ways to continue to operate. Leveraging a system that can automatically detect identity and location manipulation is key to staying ahead of sanction evaders, no matter their latest tricks and methods of deception.