Operation Quiet Harbor: a year inside a shipping-sector intrusion set
A patient, low-noise cluster has spent twelve months staging access across European port operators. We map the tooling, the dwell time, and the gaps that let them stay invisible.
Quiet Harbor is not loud. It does not detonate ransomware on Friday nights. It does not post leaks. For almost a year, the cluster we track under that name has lived inside European port operators, doing exactly enough to maintain access and exactly nothing more.
Across nine confirmed victims, dwell time averages 287 days. Initial access is unglamorous — exposed VPN concentrators, a handful of spear-phishes against logistics planners, one supply-chain pivot through a customs-software vendor.
What sets Quiet Harbor apart is restraint. The operators stage tooling and then wait. They harvest schedules, container manifests, and crew rotations for weeks before any lateral movement. When they move, they move with native binaries, scheduled tasks, and credentials they have already verified work.
The intelligence question is not whether they will eventually act. It is what they are waiting for. This report walks through the artifacts, the host-based indicators, and the network telemetry that finally surfaced the cluster.
