Reports

Tracking Hybrid Threats at Sea: A Russian Fleet’s Suspicious Pattern

In late May 2025, Windward’s Maritime AI™ Platform identified a Russian-flagged cargo vessel exhibiting unusual behavior near the SEA-ME-WE 5 submarine cable system in Italian territorial waters. What started as a single anomaly quickly evolved into a broader investigation, revealing a pattern of suspicious activities across a fleet of vessels linked to a sanctioned Russian entity.

This report outlines the vessel’s behavior, ownership structure, network connections, and a recurring pattern of maritime activity consistent with hybrid operations targeting undersea infrastructure. The findings suggest a broader strategic effort that could signal increased risk to critical undersea infrastructure across multiple regions. 

Loitering Above a Strategic Cable: First Signs of Suspicious Activity

On May 29, 2025, Windward’s Maritime AI™ Platform detected a Russian-flagged general cargo vessel displaying anomalous movement directly above the SEA-ME-WE 5 submarine cable in Italian territorial waters. This critical undersea system connects Southeast Asia to Europe, making it a high-value asset within the global communications network.

Key details of the vessel’s behavior and profile include:

  • Location: Italian territorial waters, directly above the SEA-ME-WE 5 cable
  • Vessel type: general cargo
  • Flag: Russian
  • Length: 119 meters
  • Deadweight tonnage: 3,111 tons
  • Behavior: erratic AIS transmissions and prolonged loitering without declared purpose

Given the vessel’s shallow draft and capability to deploy submersible equipment, this behavior raised immediate red flags, particularly in light of past maritime incidents involving infrastructure interference and hybrid operations. The loitering maneuver, especially in a location so closely aligned with a strategic cable system, signaled a potential shift from commercial deviation to deliberate surveillance or disruption activity.

report 1

The vessel’s unusual loitering above the cable area. Source: Windward Maritime AI™ Platform

From a Single Vessel to a Suspicious Network

Operating on the premise that such incidents rarely occur in isolation, Windward analysts expanded the investigation’s scope. The vessel was found to be part of a fleet connected to a prominent Russian company sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on January 5, 2022, for harmful foreign actions of the Russian government.

network

The vessel’s link analysis. Source: Windward Maritime AI™ Platform

Using Windward’s Visual Link Analysis tool, analysts mapped the vessel’s ownership and operational affiliations, uncovering direct connections to other high-risk and sanctioned vessels with records of:

  • AIS disabling (dark activity)
  • Loitering near submarine cables
  • Operating in proximity to sensitive offshore zones

These shared behaviors reinforce the likelihood of a coordinated operational playbook, potentially aimed at surveillance, interference, or sabotage.

Patterns of Risk Across the Fleet 

Although the initially flagged vessel appeared low-risk at first glance, link analysis revealed its integration into a wider network of sanctioned fleets and affiliated entities. Many of these vessels share ownership ties, structural similarities, and recurring behavioral patterns that mirror the suspicious activity observed off the coast of Italy.

These risk indicators include:

  • Dark activity in the vicinity of critical infrastructure
  • Prolonged loitering with no clear commercial justification
  • AIS inconsistencies and unexplained route deviations

Taken together, these behaviors indicate a deliberate pattern of movement and coordination across multiple vessels, elevating the risk classification of the entire fleet.

graph

All connections and links to the vessel. Source: Windward Maritime AIâ„¢ Platform

Sister Vessels Mirror the Threat 

Windward’s analysis uncovered multiple sister vessels – matching in design, management, and naming conventions – that have displayed similar patterns of suspicious behavior across different regions.

Tunisia (April 2025): one sister vessel disabled its AIS transponder while loitering near offshore infrastructure and within restricted maritime zones. The behavior mirrored tactics often associated with covert intelligence-gathering operations.

watermarked 1

A sister vessel going dark while loitering near offshore infrastructure. Source: Windward Maritime AIâ„¢ Platform

Italy (April 2025): another sister vessel sharply reduced speed above the Asia Africa Europe-1 (AAE-1) cable, raising concerns due to the vessel’s location, duration, and lack of declared purpose.

watermarkd 2

Another sister vessel slowing down above the AAE-1 cable. Source: Windward Maritime AIâ„¢ Platform

Norway (March 2025): A third sister vessel conducted similar maneuvers above the NO-UK and Havfrue/AEC-2 cables, two key subsea connections between the Nordics and mainland Europe.

watermarked 3

A third sister vessel maneuvering above the NO-UK and Havfrue/AEC-2 cables. Source: Windward Maritime AIâ„¢ Platform

Together, these incidents reveal a pattern of suspicious behavior concentrated around strategic subsea cable systems across Europe and North Africa.

A Pattern of Illicit Maritime Behavior 

In addition to suspicious loitering and AIS manipulation, adverse media scans reveal that many vessels within this Russian-operated network have been implicated in a variety of illicit maritime activities. These include:

  • Grain theft from Ukraine, as part of operations diverting agricultural goods from conflict zones
  • Weapons transfers, including suspected shipments to sanctioned regimes or proxy actors
  • Smuggling of sanctioned oil, often using deceptive shipping practices such as STS transfers and false flagging

These findings reinforce a broader operational pattern: bad actors are rarely confined to a single type of illicit activity. A vessel smuggling weapons today may engage in surveillance or sabotage tomorrow. This tactical fluidity underscores the multifunctional threat these fleets present. The convergence of criminal, economic, and geopolitical objectives within the same networks reinforces the need to assess maritime activity holistically, not just by cargo manifests or port calls, but through behavioral analytics, link analysis, and media intelligence.

Safeguarding Maritime Infrastructure in an Evolving Threat Landscape 

What began as a single vessel loitering above a submarine cable revealed a broader pattern of high-risk maritime activity tied to a network of Russian-operated cargo vessels. These vessels, linked to a sanctioned entity, have repeatedly demonstrated behaviors consistent with hybrid operations, including potential surveillance, cable interference, and covert logistics.

Windward’s Maritime AI™ solution played a critical role in surfacing this activity. Through real-time anomaly detection, visual link analysis, and integrated risk modeling, the platform connected isolated events into a coherent operational picture – one that highlights emerging threats to subsea infrastructure across multiple regions. 

As submarine cables grow in strategic importance, the ability to detect and interpret behavioral anomalies at sea will be essential. Mitigating these risks will require proactive monitoring, greater cross-agency collaboration, and intelligence-driven decision-making powered by the right technology.  This activity is not an isolated anomaly but part of a broader, deliberate pattern. The industry must recognize the threat and act accordingly.

See How Windward Detects Hidden Threats in Real Time