Russian-linked hackers, hidden devices and Italian ferries. The Gnv case raises the specter of hybrid sabotage

Italian investigators are looking into a suspected espionage operation targeting civilian ferries operated by GNV. According to Il Foglio, hidden devices placed on board by two Latvian sailors may have been meant to route data toward servers linked to pro-Russian hackers. One alleged coordinator has been arrested in Spain, while another is reportedly in Moscow.

Decoding the news. The case is among the most sensitive to emerge in recent months at the intersection of cybersecurity, critical infrastructure and hostile-state interference. It began with two Latvian sailors arrested in December 2025 after allegedly placing electronic devices aboard ferries operated by Grandi Navi Veloci, one of Italy’s main passenger shipping companies.

It has now widened to include two suspected coordinators, one detained in Spain and another believed to have sought refuge in Moscow.
At the centre of the inquiry, according to reporting by Il Foglio, is a lead that points to servers used by a pro-Russian hacking group. That detail has pushed the case well beyond a conventional computer intrusion and into the more troubling territory of a possible espionage operation against Italian critical infrastructure — perhaps designed to create an internal access point into civilian vessels.

The investigation. The devices allegedly installed on board were meant to collect data from ferry systems and relay it externally. In exchange, the two young Latvian seafarers arrested last December would have received payment to physically place the equipment inside the ships.

Investigators are examining whether the broader objective was to establish persistent access to the ferries’ IT environments and, potentially, to interfere with onboard systems at a later stage. That remains the most delicate part of the case. Authorities have not established whether the network behind the operation had the technical capability to move from data exfiltration to operational control of the vessels.
Still, the architecture of the alleged scheme is enough to raise concern: human recruitment, physical access, concealed hardware and data pathways leading outside the target network.

From Genoa to Spain – and Moscow. The investigation began after GNV filed a complaint with the Ligurian cyber security unit of Italy’s postal police. Prosecutors in Genoa opened a case, but its implications quickly drew the attention of Italy’s National Anti-Mafia and Anti-Terrorism Directorate, as well as the country’s strategic anti-terrorism analysis committee.

The first arrests came six months ago. One Latvian sailor was stopped in the French port of Sète, the other in Naples, aboard the vessels under scrutiny. According to early reconstructions, the devices recovered were compact computer systems, reportedly similar to Raspberry units, configured to connect with onboard digital infrastructure. One of the two men is said to have admitted he had been paid to install one of them, while providing little help in identifying who had recruited him.
Il Foglio now reports that investigators have traced the operation back to two Latvian men in their forties, suspected of coordinating the effort. One was arrested in Spain after months of surveillance, under a European arrest warrant for unlawful access to an information system. The other is believed to be in Moscow.

Why it matters. The method itself is not new. Western security services have repeatedly warned that hostile actors are increasingly using intermediaries to carry out narrow, deniable tasks: placing a device, scouting a location, photographing a site, moving cash, renting vehicles, or enabling physical access to sensitive infrastructure.

What makes the GNV case stand out is the target. Civilian ferries are not just commercial assets. They are part of a wider logistical ecosystem linking ports, passengers, freight routes and maritime mobility across the Mediterranean. In a crisis, they can also become relevant to national resilience.
That is why ships, terminals, undersea cables, navigation systems and energy infrastructure have moved steadily up the list of high-value targets for espionage, pre-positioning and sabotage below the threshold of open conflict.

The broader signal. Much remains to be clarified, and the judicial file is still developing. But the information available so far points to a possible hybrid operation against infrastructure in a Nato country, conducted through a mix of classic espionage tradecraft and low-cost cyber intrusion.

The GNV case matters because, if confirmed, it would fit a playbook European security services know well: secure the access first, decide later how to exploit it. A device slipped onto a civilian ferry is not merely a technical breach. It is a foothold inside a strategic transport node – useful for intelligence gathering in the present, and potentially for pressure or disruption in a future crisis.