TECH Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai

Dozdoats

On TB every waking moment
https://www.technologyreview.com/s/614689/ghost-ships-crop-circles-and-soft-gold-a-gps-mystery-in-shanghai/

Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai
A sophisticated new electronic warfare system is being used at the world’s busiest port. But is it sand thieves or the Chinese state behind it?
by Mark Harris
Nov 15, 2019


C4ADS

On a sultry summer night in July 2018, the MV Manukai was arriving at the port of Shanghai, near the mouth of the Huangpu River. This busy tributary of the Yangtze winds through the city and includes the Bund, a historic waterfront area and tourist hot spot. Shanghai would be the American container ship’s last stop in China before making its long homeward journey to Long Beach, California.

As the crew carefully maneuvered the 700-foot ship through the world’s busiest port, its captain watched his navigation screens closely. By international law, all but the smallest commercial ships have to install automatic identification system (AIS) transponders. Every few seconds, these devices broadcast their identity, position, course, and speed and display AIS data from other ships in the area, helping to keep crowded waterways safe. The position data for those transponders comes from GPS satellites.

Soar.Earth
According to the Manukai’s screens, another ship was steaming up the same channel at about seven knots (eight miles per hour). Suddenly, the other ship disappeared from the AIS display. A few minutes later, the screen showed the other ship back at the dock. Then it was in the channel and moving again, then back at the dock, then gone once more.

Eventually, mystified, the captain picked up his binoculars and scanned the dockside. The other ship had been stationary at the dock the entire time.

When it came time for the Manukai to head for its own berth, the bridge began echoing to multiple alarms. Both of the ship’s GPS units—it carried two for redundancy—had lost their signals, and its AIS transponder had failed. Even a last-ditch emergency distress system that also relied on GPS could not get a fix.
Now, new research and previously unseen data show that the Manukai, and thousands of other vessels in Shanghai over the last year, are falling victim to a mysterious new weapon that is able to spoof GPS systems in a way never seen before.

Ron Eggleton / Marinetraffic.com
Nobody knows who is behind this spoofing, or what its ultimate purpose might be. These ships could be unwilling test subjects for a sophisticated electronic warfare system, or collateral damage in a conflict between environmental criminals and the Chinese state that has already claimed dozens of ships and lives. But one thing is for certain: there is an invisible electronic war over the future of navigation in Shanghai, and GPS is losing.

The mystery deepens
Although the Manukai eventually docked safely, its captain was concerned enough to file a report later that day with the US Coast Guard’s Navigation Center, which collects reports of GPS outages worldwide.

“All [antenna] connections are secured and dry,” he wrote. “There have been no other issues with these units. suspect GPS signal jamming is occurring at this berth.”

In fact, something far more dangerous was happening, and the Manukai’s captain was unaware of it. Although the American ship’s GPS signals initially seemed to have just been jammed, both it and its neighbor had also been spoofed—their true position and speed replaced by false coordinates broadcast from the ground. This is serious, as 50% of all casualties at sea are linked to navigational mistakes that cause collisions or groundings.

When mariners simply lose a GPS signal, they can fall back on paper charts, radar, and visual navigation. But if a ship’s GPS signal is spoofed, its captain—and any nearby vessels tracking it via AIS— will be told that the ship is somewhere else entirely. Nor did the attacks stop once the Manukai was safely at its dock. Several times that day, its AIS system reported that it was over three miles distant.

Wikimedia Commons
Half a world away from Shanghai, a tip landed on the Washington, DC, desk of a researcher at the Center for Advanced Defense Studies (C4ADS), a nonprofit that analyzes global conflict and security issues. The new tip, from a shipping industry source, suggested that somebody was spoofing GPS signals in Shanghai.

This was the first time that C4ADS had heard of widespread maritime spoofing not obviously linked to the Russians. A few months earlier, the organization had published a report that detailed how Russia used GPS jamming in the Crimea, the Black Sea, Syria, Norway, and Finland. It also contained evidence that a Russian mobile electronic warfare team had been disrupting GPS signals during President Putin’s public appearances.

After receiving the tip, C4ADS looked at the AIS data, which it purchased from a startup that records AIS broadcasts around the world. Analysts noticed that the attacks had actually started the previous summer, increasing as the months rolled on. The most intense interference was recorded on the very day in July that the Manukai’s captain reported difficulties, when a total of nearly 300 vessels had their locations spoofed. While the disruption was affecting ships right across Shanghai, most of those spoofed were vessels navigating the Huangpu River.
And this was very different from the hacking seen in Russian waters, where vessels were all spoofed to a single point. The Shanghai data showed ships jumping every few minutes to different locations on rings on the eastern bank of the Huangpu. On a visualization of the data spanning days and weeks, the ships appeared to congregate in large circles.
The C4ADS researchers had never seen circular patterns like this before. Perhaps bugs or malware in the ships’ AIS or GPS systems were causing the effect? To rule that out, they sought data from another form of transportation completely: cycling.
China has about as many bicycles as the rest of the world combined, with nearly 10 million in Shanghai alone. Some of the city’s cyclists use smartphone fitness apps to track their rides. One in particular, Strava, shares a global heat map of anonymized activities from the previous two years. Zooming in to Shanghai, C4ADS analysts could see the same mysterious riverside circles glowing on Strava’s heat map. The spoofing attacks were affecting all GPS devices, not just those on ships.
It was time to seek some outside help. C4ADS shared its findings with Todd Humphreys, director of the Radionavigation Laboratory at the University of Texas at Austin and a leading authority on GPS hacking. Humphreys examined the data, but the closer he looked, the more confused he became. “To be able to spoof multiple ships simultaneously into a circle is extraordinary technology. It looks like magic,” he said.

In September, Humphreys showed a visualization of the data at the world’s largest conference of satellite navigation technology, ION GNSS+ in Florida. “People were slack-jawed when I showed them this pattern of spoofing,” he said. “They started to call it crop circles.”

A dangerous escalation?
To understand why the experts are baffled, consider how GPS works. The US Air Force maintains a constellation of at least 24 Global Positioning System satellites orbiting the Earth; there are currently 31. Each satellite broadcasts several complicated codes generated from its position and the current time, as measured by a super-accurate atomic clock on board. Each clock is precisely synchronized with those on the other 30 satellites.

Wikimedia Commons
A GPS receiver detecting signals from one satellite can only calculate roughly how far it is from that satellite. Add signals from a second satellite and it can narrow down its location considerably. A third satellite allows it to locate itself at a given latitude and longitude, and a fourth establishes its elevation and the precise time. Signals from more satellites increase the accuracy.

While GPS satellites broadcast several different signals intended for both military and civilian use, AIS relies on just one of them. These signals are rather weak and can easily be drowned out—jammed—by even a modest transmitter at ground level. They can also be spoofed by signals that mimic real GPS satellites but encode false time and position data.

In spoofing, every receiver within range usually receives the same fake signals, and thus believes itself to be in the same location. While this is more serious than simply jamming the GPS signals, an alert captain would certainly notice if all the ships on the navigation screen suddenly jumped to the same place at the same time.

The Shanghai “crop circles,” which somehow spoof each vessel to a different false location, are something new. “I’m still puzzled by this,” says Humphreys. “I can’t get it to work out in the math. It’s an interesting mystery.” It’s also a mystery that raises the possibility of potentially deadly accidents.

“Captains and pilots have become very dependent on GPS, because it has been historically very reliable,” says Humphreys. “If it claims to be working, they rely on it and don’t double-check it all that much.”

On June 5 this year, the Run 5678, a river cargo ship, tried to overtake a smaller craft on the Huangpu, about five miles south of the Bund. The Run avoided the small ship but plowed right into the New Glory (Chinese name: Tong Yang Jingrui), a freighter heading north.

Sina.com
The New Glory then lost control and veered into the riverbank, scattering pedestrians out for an evening stroll. A small stretch of the bank collapsed, but luckily, no one was hurt.

While it’s not certain if it happened on this particular occasion, AIS data indicate that the New Glory was spoofed in Shanghai at least five times in the six months leading up to the collision, including less than two weeks before. The data also show half a dozen attacks on other vessels in the city that same day.
Even Shanghai’s river police, the Huangpu Maritime Safety Administration (MSA), has been subjected to spoofing attacks on an almost daily basis. The data show that one of its patrol boats was spoofed at least 394 times in nine months.

Soft gold
One possibility is that the crop circles are an escalation in a simmering electronic war in Shanghai that has put thousands of sailors, passengers, and even the river itself at risk. For years, the MSA has been tracking and seizing ships that, while not jamming or spoofing GPS signals, have been hacking the AIS transponders that help keep Shanghai’s rivers and ports safe. These ships have been cloning the AIS identities of other ships in order to slip in and out of the harbor unmolested by authorities.

The reason they’re doing this has to do with the cargo the New Glory was carrying when it ran aground: plain, everyday sand.
Chinese builders call it “soft gold.” Sand dredged from Yangtze River, which has the ideal consistency and composition for cement, helped fuel Shanghai’s construction boom in the 1980s and 1990s. By the turn of the millennium, reckless sand extraction had undermined bridges, trashed ecosystems, and caused long stretches of the riverbank to collapse. In 2000, Chinese authorities banned sand mining on the Yangtze completely.

The trade continued illicitly, however, expanding to include the illegal dredging of sand and gravel from the Yangtze estuary and the open seas near Shanghai. By day, such ships look innocuous. By night, they lower pipes to the riverbed to suck up thousands of tons of sand in a single session. A full hold can be worth over $85,000. So far in 2019, police along the Yangtze River have seized 305 sand-mining vessels and over 100 million cubic feet of sand—enough to fill over a thousand Olympic swimming pools.

The Shanghai MSA says illegal sand and gravel ships caused 23 wrecks along the Yangtze river in 2018, accounting for over half of all major accidents and killing 53 people.

Strava
Under the cover of darkness, AIS can be a useful tool for a sand thief. Ships that are not equipped or licensed for sea travel, for example, have been known to clone the AIS systems of seafaring boats to avoid detection.

Nor are sand thieves the only users of hacked AIS technology. In June this year, an oil tanker with a cloned AIS system rammed an MSA patrol boat in Shanghai while trying to evade capture. Police believe that it had been smuggling oil. “Ships like this type are usually driven by illegal interests,” said an MSA official. “Once discovered, they will fight against law enforcement and attempt to escape, posing a great threat to the water navigation environment. We will not tolerate such ghost ships.”

The question now is, are these previous AIS hacks connected to Shanghai’s new GPS circles in some way? An effective spoofing system could be worth millions to sand thieves. By spoofing their own ships, they could glide invisibly into port. Or by spoofing others and creating chaos, smugglers would give themselves a better chance of slipping through unnoticed. It could be that the ability to generate spoofed circles is an escalation in technological know-how by the sand thieves.

Sign up for The Download — your daily dose of what's up in emerging technology

Also stay updated on MIT Technology Review initiatives and events?YesNo

Of course, it could be just a coincidence that the spoofed circles are occurring at a hot spot for AIS cloning. Another possibility is that the Chinese state itself is testing out a new electronic weapon, perhaps for eventual use in disputed regions of the South China Sea.

While the data do not identify the culprits, they do contain some clues. The center of the spoofing circles on the Huangpu is a factory owned by Sinopec Shanghai Petrochemical Company, a large chemical manufacturer. But it is not clear whether the activity is associated with the facility or it’s just the location where the ships are being spoofed to.

“I don’t think it’s some rogue actor,” says Humphreys. “It may be connected with some experimental capability that [the Chinese authorities] are trying to test. But I’m genuinely puzzled how this is being done.”
 

Lone_Hawk

Resident Spook
Dozdoats,

Thanks for posting that. I read it earlier today and meant to post it but got distracted. Being knowledgeable about electronic warfare, what they reported here is very concerning.
 

samus79

Veteran Member
Edit-Sorry, the article I posted is a follow up to this linked article:

https://www.thedrive.com/the-war-zone/31092/new-type-of-gps-spoofing-attack-in-china-creates-crop-circles-of-false-location-data

A very detailed look at what’s going on, article is too long and has too many pics to copy paste here



Here’s an article from Tyler Rogaway at the The Drive about this, has much more detailed info:

https://www.thedrive.com/the-war-zone/31098/chinas-mysterious-spoofed-gps-data-crop-circle-has-something-interesting-at-its-center


China's Mysterious Spoofed GPS Data "Crop Circle" Has Something Interesting At Its Center
Something appears to be physically at the center of these anomalies and it isn't small.

By Tyler Rogoway

Google Earth
We posted a story yesterday about a bizarre series of events in Shanghai, China where vessels' GPS data has been spoofed and jammed, along with that of various other users of the near indispensable system, including those that use fitness tracker apps. The folks that are studying the strange circumstances surrounding these anomalies say they are stumped as to how this is being done or why the fake location data correlates into a ring around a seemingly random area along the bustling Huangpu River. We don't have an answer to those questions, but after a bit of research, we may have discovered a major clue that could help in doing so.

Make sure to read our story from yesterday by clicking here before continuing on for proper context and background.

After the post was published, I sat back and thought how strange it was the data was manifesting itself in a relatively small ring as described. After staring at the renderings of the data overlaid on a crude map for a moment, I thought along our typical lines here at The War Zone—what about hardware? Was this circular anomaly manifesting itself by design or is it actually a byproduct of the method in which the tactics are being deployed?

My gut said the latter.

With that in mind, and without getting into the weeds trying to dream-up the exact concept being executed here or the technology that enables it, I asked myself, what may be needed to make some sort of jamming and spoofing capability a reality within line of sight of the strange data ring? You are probably already thinking the same thing—the high ground. A radio antenna structure or high-rise could be essential and may have to do with the odd dispersion of coordinates.


C4ADS
A "crop circle" of spoofed GPS locations in Shanghai that C4ADS discovered when it plotted the compromised AIS data.

Strava
Another "crop circle" that appears on Strava's Global Heat Map.
Now it was time to find exactly where this was happening. We did not have the precise coordinates of where the ring was appearing, just very crude and zoomed-in maps posted by the researchers. We are used to this type of thing when it comes to image and geospatial intelligence gathering and within a few minutes, we found a match for the roadways and the orientation of the river shown in the two graphics we had. There was no question as to the accuracy of the anomaly's location.

And what do you know? Right in the center of where the ring of data points was located was a huge smokestack—one of two that are part of a sprawling plant operated by Shanghai Gaore Industries. Bloomberg describes the company as a distributor of "coal and other minerals and ores."


Google Earth

Google Earth

Google earth
In the available satellite imagery, the smokestack appears to be hundreds of feet high, offering a perfect perch for which to install whatever gear could be involved in this GPS data tampering operation. The location also appears to offer unique lines of sight of the river both in front of the nearby perpendicular bank and down through where the river curves at both its north and south ends, at least to some degree. Even the main channel to the east would have been in range.

There was only one problem, would a working smokestack really be conducive to also working as an electronics mounting platform? Maybe so, and the stack in question looks like it has a number of catwalks installed a collar-like arrangement at various heights, but it still seems like a complication.

Once again, what do you know? This particular stack seems to be entirely dormant or abandoned, with its nearby twin bellowing away consistently in satellite imagery. In fact, in all the satellite photos we could find, the smokestack in question hasn't emitted anything going all the way back to 2011.


Google earth
Still, just because something exists exactly where you hypothesized it would, that doesn't mean it is being used for what you think it is. Coincidences happen all too often when it comes to these kinds of situations. In addition, it is easy enough to attach aerials and arrays to an abandoned smokestack, but still, it isn't exactly a purpose-built radio tower.

An yet again, exactly that appears in the timeframe when supposedly, at least to our knowledge, these anomalies began occurring. After reviewing dozens of proprietary satellite photos spanning the last two years, out of nowhere, on the road just next to where the smokestack is located, a remarkably tall red radio tower pops up out of literally nowhere in the second half of 2018. At first, I thought it may be a crane, but I cannot see any sort of swing arm in any of the satellite images I have reviewed, nor is there any signs of construction. In fact, it looks exactly like a very tall radio tower, appearing similar in height as the smokestack just a stone's throw away and plunked down right in the middle of the road located on the western edge of the plant.


Google earth
Radio tower-like structure and its shadow.
From what we can tell, the tower disappeared right around the end of 2018 or the first days into 2019. I have no idea if it had been moved to another area or if its functions were transferred to the smokestack or whatever, but its presence correlates with the available geolocation 'ring' data perfectly. The timeframe in which it is present and how it relates to that same data temporarily remains a question that we are looking into.

Taken as a whole, this evidence points to the possibility that some sort of hardware is present at the center of the mysterious ring. If that is indeed the case, we still don't know who that hardware may belong to or what that entity's goals are. Still, the presence of a very high perch exactly where I thought it would be may help investigators to come up with new hypotheses as to what exactly is happening and how it is happening. I certainly have my own ideas, but we'll save those for another day.

Contact the editor: Tyler@thedrive.com
 
Last edited:

night driver

ESFP adrift in INTJ sea
Tyler is AWESOME!!

Take what he writes to the bank!!

Also Joe Trevithick. Joe should be a familiar name as he wrote "the book" on Posse Comitatus a few years ago while he was in uniform.
 
Top