Submarine cable protection: from incident response to prevention using predictive intelligence

Reports of damage to communication cables on the ocean floor have been amassing in recent months. As subsea communication cables play a vital role in today’s global communications infrastructure, these incidents have drawn the attention of global maritime security experts. Two regions are of particular geo-political significance – the Baltic Sea and the Taiwan Strait.

When damage to a cable is discovered, maritime analysts are called upon to conduct investigations and identify suspects. This can be as simple as isolating a vessel above the relevant cable at the time of damage using position reports from the Automatic Identification System (AIS). Information on wind and currents can then be used to explain unintentional drifting while dragging an anchor (watch our webinar for an example)

In many recent incidents, however, met-ocean conditions can not explain the damage, and vessels with high risk profiles appear in the immediate area. As a result, many geo-political experts are emphasising the increasing role that governments and industry should be taking in preventing damage to critical trans-national infrastructure through predictive and collaborative intelligence. 

This article uses the recently reported incidents in the Baltic and east Asian seas to demonstrate advanced analytical techniques to identify suspicious vessels before they can cause damage. This is especially relevant in high traffic areas, where the large volume of AIS data can impede effective cable monitoring and automated alerting. It is through risk analysis, data fusion, and automated monitoring that authorities are empowered to deter suspicious vessels before they wreak havoc. 

‍

Case Study - Baltic Sea

YI PENG 3

In November 2024, two significant undersea cables were severed in the Baltic Sea. A Chinese-owned cargo vessel was quickly identified as the likely culprit, and was detained by authorities for further investigation. The YI PENG 3 displayed several behaviours which implicated it as a vessel of interest and was accused of dragging its anchor across the seabed.

Most notably, the YI PENG 3 displayed anomalous movements and sudden speed reduction in the vicinity of the damaged cable.

‍

Changing pattern of life

Analysis of the vessel’s pattern of life over the last five years indicates that this was its first trip to the Baltic Sea. The Chinese owner, Ningbo Yipeng Shipping Co Ltd, began re-routing several of its vessels from exclusively China-based cargo routes to include destinations in northeastern Russia in November 2023. 

‍

From October 2023, Yipeng fleet vessels were detected in the Black Sea near the Crimean Peninsula's southern Kerch Strait entrance. These vessels began falsifying (spoofing) their position, appearing in the Sea of Azov. It is impossible for the vessel to get there, as the Crimean Bridge's clearance is too low for this ship. This spoofed location is commonly used by hundreds of vessels to conceal their true activities, and many of these spoofing vessels show ties to geopolitical hotspots through the ports they visit. Additionally, the YI PENG 3 transmitted a call sign different from its International Maritime Organisation (IMO) registration.

‍

More Baltic incidents in quick succession

In December 2024 and January 2025, two more suspicious anchor drag incidents occurred in the Baltic Sea. The EAGLE S and the VEZHEN were both detained after being detected over a cable at the time that damage was recorded. On-board inspections of these vessels found damaged anchors consistent with drag across the seafloor. 

Indicators of a vessel posing a risk to subsea cables

Retrospective analysis of these three recent Baltic Sea cable incidents indicates commonalities that can be exploited to risk-assess all vessels in an area based on past activity, ownership ties, and real-time monitoring. Specific indicators of risk include:

• Ownership ties to China or Russia;
• Russian port use;
• High vessel age;
• Track history events include suspicious encounters and changes to operating patterns; and
• Sudden speed reduction near a cable.

Armed with risk indicators like these, analysts can detect and alert on suspicious vessels near subsea cables, enabling real-time monitoring of vessels of interest before they cause damage, as well as faster incident response times. 

While some of these cases were found to be accidental, such as with the VEZHEN, it appears that many of the risk indicators remain the same: sudden speed changes, anomalous movements, vessel age, and irregular track history. Shadow fleet vessels pose risks other than intentional sabotage through dilapidated vessels often operated by inexperienced or poorly treated crew.  

Next, we investigate the recent events around Taiwan and compare them to these cases in the Baltic Sea. 

‍

Case Study - Taiwan EEZ 

On 3 January 2025, Taiwan authorities were notified of damage to the Trans-Pacific Express Cable north of Keelung, Taiwan. Taiwanese authorities identificatied a Cameroon-flagged AIS entity named XING SHUN 39 and attempted interception. But the vessel could not be detained due to poor weather conditions. It escaped into a busy shipping area by going dark (shutting off its AIS transponder).

Maritime analysts around the globe shared observations that the vessel had likely been engaging in AIS spoofing involving identity switching. In addition, the IMO-registered Tanzania-flagged AIS identity (IMO 8358427) used by XING SHUN 39 had long periods of dark activity in contravention to IMO regulations to transmit AIS for navigational safety. 

Analysis using Starboard uncovered eight AIS personas of the same vessel since early 2024. The latest persona was assumed briefly during the vessel’s escape from the Taiwan EEZ after a close encounter with authorities at 9:30 UTC on 4 January 2025.

‍

We detected several of the XING SHUN 39’s AIS personas using Starboard’s automated fusion of satellite data. This suggests that the use of false identities is the main AIS spoofing technique used by XING SHUN 39, rather than falsifying AIS geo coordinates.

‍

Risk indicators

Starboard conducted a deep analysis on the XING SHUN 39 personas with the goal of developing risk indicators to help identify other suspicious vessels worthy of the attention of regional authorities. As a first step, we uncovered the following noteworthy characteristics: 

• Ties to Hong Kong or Chinese ownership;
• Owner only owns a single vessel;
• Missing AIS while loitering, especially in cable areas;
• Loitering in an EEZ without making a port call (uneconomic behaviour);
• Loitering activity in the Yellow Sea between port calls;
• Flagless vessels, or flagged to a blacklisted state according to the Paris MoU;
• AIS detail changes, especially to a black MoU flag; 
• Key AIS details (such as IMO or MMSI) are not IMO-registered;
• Vessel age >15 years;
• Recent changes to ownership and operating patterns;
• Suspicious encounters at sea and anomalous movements;
• Abnormal or irregular changes to destination and draught;
• P&I Club is not registered to S&P Global (uninsured)

To test these characteristics as potential risk indicators, they were applied to all merchant vessels in the Taiwan EEZ during December and January. This resulted in the identification of numerous vessels which were behaving in a potentially suspicious manner.

‍

It becomes clear very quickly that individual noteworthy characteristics do not serve to isolate vessels of interest amongst the ambient activity of thousands of vessels in the Taiwan Strait and East China Sea. We find that by combining several indicators we start to focus on those vessels that are the highest risk.

For example, in the cable monitoring area north of Keelung, a handful of vessels of interest can be isolated from a backdrop of thousands over a two day period. One of these vessels was also identified as a suspect for cable sabotage:

“On Jan. 6, a Mongolian-flagged freighter with the Mandarin name “Bao Shun” was spotted taking an erratic course over subsea cables off north Taiwan, prompting the Coast Guard to drive the vessel away. The ship then moved north of Pengjia Islet and in and out of Taiwan's 22 km (12 NM) territorial waters in a southwest-northeast direction for five days, per Liberty Times.” Taiwan News, 13 January 2025

‍

Next, we tested the set of risk indicators again in the cable monitoring area south of Taiwan, but this time over a 90 day window. This led to the identification of two vessels of interest from a backdrop of over 4,000 vessels, one of which matched media reports of potential Russian espionage:

“The Belize-flagged Russian cargo vessel, VASILY SHUKSHIN, left Russia's Vostochnyy port on December 8, stopped for a short period of time in South Korea, before it loitered off Taiwan's coast on December 19. The mystery ship [then] decided to depart—not south to Vietnam as it previously self-reported, but straight back north to its home port of Vostochnyy.” Newsweek, 14 January 2025

This is a powerful demonstration that vessels of interest can be reliably identified in the world’s busiest shipping lanes using Starboard’s bespoke risk indicator analysis, enabling law enforcement to take action before cable damage can occur.

‍

Conclusion

Starboard has developed a suite of risk indicators that have successfully identified vessels alleged to pose threats to subsea cables. 

The relevance of individual risk indicators differs between geographic regions. Most notably, the nature of ambient activity, the context of regional geo-politics, and geographic situation of the cable buffer zones all shape what’s normal and what’s suspicious activity. 

This highlights the essential role of maritime analysts in identifying, aggregating, filtering, and using expert knowledge to isolate suspicious vessels hiding their activity amongst thousands of legitimate vessels, and changing their tactics between regions. 

Nowadays, we are often told that the problem of identifying a potential nefarious actor can be tackled using machine learning and artificial intelligence (AI). However, in these examples we find that human analyst-driven curation of risk indicators produces fewer false positives than black-box AI tools. The main reason for AI failure is the insufficient number of events for training; even with the increasing rate of cable sabotage, there are still only tens of cases, while successful training of an AI would require an order of magnitude more.

In Starboard, individual risk indicators are derived from both analytical and AI methods. Expert-informed aggregation, filtering, and sharing of risk indicators for specific areas enables enforcement agencies to set up automated alerts, cutting through the ambient clutter in real time. This allows them to act on suspicious vessels before they can cause damage to critical undersea communication cables. Starboard helps customers to take the step from incident response to incident prevention.

‍

Article Image CC BY-ND 2.0 Admitter