BLUF: It is almost certain that many commercial vessels’ Automatic Identification System (AIS) data is being remotely spoofed to create the pro-Russian war ‘Z’ symbol in the vicinity of (IVO) Russian-occupied Crimea. It is highly likely that this is a deliberate information operation by a pro-Russian actor (possibly Russian military psychological operations) ahead of an anticipated Ukrainian counter offence and/or in celebration of Russia’s proclaimed victory over Bakhmut.

What is happening?
The AIS data of multiple vessels have been spoofed to create a ‘Z’ shape near Russian occupied Crimea. It is almost certain that this has been done remotely without the knowledge or consent of the vessels given the disconnect between vessel types, flags, ownership, or insurers. The user is almost certainly using radio frequency signals to mimic a true signal, causing the signal from the vessel to display false information.

This pattern started to emerge from the 14th May. It appears that there were surges of spoofing activity from 19-21st May, with a lower frequency of spoofing in between. Vessel speeds were recorded as high as 102 knots with no variation for tide and weather, clearly suggesting spoofing.

What is the context?

1. ‘Z’ shape: The ‘Z’ symbol has become the de facto symbol of support for the Russian ‘special military operation’ against Ukraine and is seen as a rallying point of expression of defiance against Ukrainian and the west.
2. The battle for Bakhmut: Putin declared victory in the battle for Bakhmut on 22nd May, which is being portrayed as a major victory for Russian land forces, despite the limited strategic significance of the city and the high cost of troops and equipment making it an (at best) pyrrhic victory. It is likely this pattern has been created to boost Russian morale in
   celebration of this self-proclaimed victory.
3. Ukrainian Counter Offensive: It is widely accepted that the Ukrainian Armed Forces much-anticipated counter-offensive will begin imminently. Liberating Crimea is almost certainly one of Ukraine’s priority strategic objectives. Thus, this symbolism is likely a deliberate antagonising gesture.

Why is this significant?

1. Safety of vessels at sea. The spoofing of AIS data increases the risk of vessel collisions and accidents operating
   in this area, as neighbouring ships will be unable to accurate see nearby maritime traffic.
2. Highly likely a deliberate pro-Russian information operation. Given the significance of the symbology and
   the geographical location of the spoofed pattern, it is highly likely that this is a deliberate pro-Russian
   information operation. More analysis is required at this early juncture, however it is likely this is designed to
   increase pro-Russian audiences’ morale, as well as antagonise Ukrainian and NATO audiences. The message
   seems clear: ‘Crimea is Russian.’
3. Large scale remote AIS spoofing in close proximity to a live conflict zone. This is indicative of an operator
   with access to a good level of technical understanding and capability to spoof the positions of multiple vessels
   and who has the will to do so, either with limited understanding or limited regard to the risks to vessel safety as
   a result of these actions.

Geollect will continue to monitor the situation. For more information, please get in touch at
info@geollect.com