by Zhanar Tukeyeva

Modern life depends on a few thin, hidden threads beneath the sea. These cables connect financial systems, cloud services, hospitals, ports and governments. When one breaks, disruption spreads quickly. That physical fragility now meets a new human challenge: small groups using fast coding tools and self-acting systems can launch large-scale attacks. When these risks converge, the damage can grow far beyond the initial fault.

Why the Undersea Network Matters

The global network of undersea fibre cables now totals about 1.48 million kilometres and carries about 99% of intercontinental internet traffic. These lines move email, cloud traffic, video calls and the data that powers trade and payments. Many policy papers also note that these links support very large volumes of financial transactions — a widely quoted figure is around US$10 trillion, though that number is an illustrative estimate rather than a precise accounting.[1][2]

The single largest project, the 2Africa system, will span about 45,000 kilometres when complete, making it the longest undersea fibre link in the world and a backbone for traffic between Africa, Europe and Asia.[3] The first parts of the cable entered service in 2024, but work on a key Red Sea section has been delayed by permitting and security issues off Yemen.

At the same time, the world is building more capacity. New sea-based projects are increasing the strategic importance of ocean infrastructure. Large technology firms are building data centres around the world to support cloud services, edge computing and connected devices. As firms grow more dependent on these links, their profitability and innovation capacity will depend on the steady operation of undersea systems.

The transition from fossil fuels to wind and solar is also increasing demand for submarine power lines and interconnectors. These links transport electricity from where it is produced to where it is needed, and they grow in importance as grids evolve, and loads become more variable.[4]

Interdependency with Space, Cloud and Defence

Many cable landings connect directly to services beyond consumer internet. Some landing stations feed satellite ground stations, scientific data centres and defence networks — creating a tight link between subsea cables and space, cloud and security systems. For example, cable links that serve satellite ground stations deliver telemetry, payload data and command channels used by civil and military satellites.

Where ground stations, cloud providers and defence customers co-exist in a small geographic area, a single cable fault can interrupt multiple mission-critical flows at once. These layered dependencies mean a cable outage can halt not just messaging and browser traffic but also satellite data feeds, earth observation streams and command links for space and defence systems. Because many of these services are time-sensitive and high-volume, satellite fallbacks or microwave backups cannot fully replace cable capacity. The Svalbard Undersea Cable System illustrates how cable loss in a compact ecosystem could rapidly affect international space programmes, weather services and allied surveillance nodes. [5]

The Rise of Self-Acting Tools

Over the past eighteen months, evidence points to a sharper risk picture for undersea cables. The chance that state-backed or state-aligned actors could target this infrastructure has increased with rising geopolitical tension. Recent reviews confirm earlier warnings: threats now converge from three fronts — geopolitical pressure, physical damage and cyber activity.[6]

Self-acting coding tools, Agentic AI are no longer only advising attackers — they now perform parts of attacks. This shift lowers the skill barrier for serious crime. Individuals with limited technical training can now carry out complex operations, including creating damaging software that once required years of expertise.

Recent investigations show criminals using a coding tool called Claude Code as an interactive assistant within their attack toolkit. Claude Code operates directly on an attacker’s system, able to read code, run commands, and execute stored instructions. In one case, operators used the tool to scan many networks, steal credentials, move inside victim systems and extract confidential data from at least 17 organisations in a single month. A small set of operators relied on the tool to select targets, identify valuable files and present tailored ransom demands. The tool also generated ransom pages and set payment demands specific to each victim. [7]

This was not an isolated case. Reports describe multiple campaigns in which attackers used automated tooling to create and conceal malicious code, run payment-card fraud operations and produce long, personalised scams designed to deceive victims. In one example, operators used shared instruction files that defined step-by-step rules for probing systems, posing as legitimate testers, choosing languages and remaining hidden. By standardising these instructions, the groups made attacks repeatable, scalable and faster to run.

Technical Risks: Wet and Dry Plant

Beyond these new methods, the infrastructure itself presents well-known technical risks.

The academic analysis divides the cable system into two zones that matter for cyber risk: the wet plant (underwater cable, repeaters, branching units) and the dry plant (landing stations, power-feeding equipment, network management and monitoring systems). Each zone presents distinct vulnerabilities.

In the wet plant attackers can attempt methods such as fiber bending or optical splitting to intercept or divert signals, or they can damage jacketed cable sections and repeaters.

In the dry plant, landing stations and the Element/Unified Management Systems (EMS/UMS) present a digital attack surface; compromising these systems can give an adversary access to routing controls, power feeds to repeaters, and diagnostic data.

Supply-chain risks are also significant. A small set of vendors provides much of the management software and hardware used across operators, so a compromise at the vendor level or in a software update could cascade across multiple networks. Key-management and cryptographic controls are further critical points — if attackers obtain decryption keys or tamper with cryptographic endpoints, the confidentiality and integrity of linked services are at risk. [5]

How These Methods Reshape the Threat Picture

Taken together, these developments mark a shift in both attacker capability and infrastructure vulnerability. In the past, complex cyberattacks required teams of skilled individuals and days or weeks to execute. Today, a small group can produce the same effect much faster with automated methods. Recent reports describe cases where attackers:

• scanned large parts of the internet to identify weak points.
• stole and decoded user credentials, then used them to move within networks.
• developed custom malicious software and added features that concealed it from defenders.
• organised stolen data and set ransom demands according to the victim’s ability to pay.
• packaged these methods into ready-made services that others could purchase and use, lowering the barrier to entry for serious crime.

In short, automation has made attacks faster, less costly, and broader in reach. This raises the risk that hostile actors will deliberately launch operations at moments when systems are already under pressure.

When Cable Damage and Fast Attacks Collide

Subsea cables are an existing point of fragility. Recorded Future’s review reports some 597 cable systems in 2024–25 and notes that these links carry most long-distance traffic. Faults occur regularly (roughly 150–200 a year), and repairs require specialised ships, skilled crews and often substantial expense. Where alternate routes are few, a single break can leave banks, traders and cloud users without service for days or weeks; permitting or political delays can extend that timeframe. [8]

When a cable cut reduces routing options, the remaining links and local cloud and payment systems come under heavier load. If attackers strike at the same moment — for example during a storm, a repair window or a peak period — the combined stress can overwhelm recovery procedures and spread disruption across sectors. Recorded Future documents several 2024–25 incidents (Red Sea, West Africa, East Africa and the Baltic Sea) in which cable damage caused regional slowdowns to payments and cloud services; in some cases, political friction delayed repairs and increased the impact.

Imagine a landing station or operator network already under pressure. A fast, automated campaign that steals credentials, blocks backups or targets cloud accounts at that moment makes rerouting traffic, restoring data and maintaining services far harder. A recent case demonstrates this risk: in early September 2025 multiple Red Sea cables — including SMW4 and IMEWE — were cut near Jeddah, disrupting traffic between Europe, Asia and the Middle East. Major cloud platforms reported slower connections and service providers across India, Pakistan and Gulf states saw widespread disruption. Repairs are expected to take weeks given logistical and security challenges in the region, highlighting how damage at a strategic chokepoint can rapidly affect entire regions and critical services.

Recent Cases to Learn From

• Data extortion campaigns: Operators used automated tools to track stolen files and prepare victim-specific ransom demands, in some instances reaching several hundred thousand dollars.
• Ransomware offered as a service: Groups used automated help to build ransomware variants and marketed them as products, lowering the skill required to launch damaging attacks.
• Multiple cable damages: Between March and May 2024 several undersea cables were damaged in West Africa and the Red Sea, causing regional outages that affected payments and cloud users while ships and permits were arranged for repair.

Case study — Svalbard: a cable that links to space

The Svalbard Undersea Cable System is a significant example of how submarine cables connect with other critical sectors. It consists of two redundant segments linking Longyearbyen to mainland Norway through Andøya and Harstad, covering about 1,300 km and supported by repeaters powered from a single power-feeding unit (PFE). At Longyearbyen, the cables land at stations that feed the SvalSat satellite ground complex. This site supports telemetry, tracking and command (TT&C), as well as payload downlink for a wide range of civil and defence users, including NASA, ESA, JAXA, KSAT, and commercial partners. Because SvalSat is integrated with major cloud providers and handles large volumes of time-sensitive data, the cable has no true substitute: satellite backhaul cannot fully replicate its speed and reliability.

An attack scenario illustrates how a breach could unfold. Compromise of landing-station systems or management software could allow movement into ground-station operations, enabling interception or manipulation of space data flows. This case highlights three practical risks: (1) a shore-based breach can open access to many downstream services; (2) a physical cut at a chokepoint reduces redundancy and magnifies the consequences; and (3) a combined physical and cyber action could lead to prolonged outages or degraded performance for international space and defence missions.

When these faster attack methods encounter weak points in the global cable system, the results are multiplied: physical cuts raise pressure on remaining routes, and at the same time automated campaigns can spread further and faster.

What Leaders Should Do — Clear Steps That Matter Now

• Map the lifelines. List the undersea cables, landing stations, power links and key cloud routes your services use. Record ownership and repair responsibilities.
• Track systems that act. Inventory any tool, script or system that can run commands or change settings without a full human check. Document owners and emergency shutdown procedures.
• Run compound drills. Test a cable cut together with a cyber breach and a severe weather event. Combined exercises reveal gaps single-issue drills miss.
• Limit reach and power. Apply least-privilege controls: give systems only the access they need, use short-lived credentials and enforce manual checkpoints for actions that affect many systems.
• Tighten supplier terms. Require repair and routing commitments in contracts, insist on rapid patching and information sharing, and support public-private measures to expand repair capacity.
• Watch behaviour, not just signatures. New automated methods can change code style or hide traces. Use detection that looks for unusual activity — sudden scans, unexpected data transfers or unexpected changes to service boot pages — rather than relying solely on known malware names.
• Develop realistic fallback measures. International groups are exploring alternate routes and satellite fallbacks as stopgaps. These options can help in an emergency but do not match fibre for bandwidth or latency; treat them as contingency measures, not replacements. [9]
• Technical: adopt heterogeneous monitoring by combining distributed acoustic sensing (DAS), optical time-domain reflectometry (OTDR), unmanned survey vehicles and AIS/vessel analytics into an integrated situational-awareness layer. Harden landing stations and network management systems through segmentation, stronger access controls and hardware integrity checks. Design hierarchical routing and local caching to enable secure, rapid rerouting when a cable or landing station is impaired.
• Policy & governance: recognise submarine cables as strategic critical infrastructure within defence and national planning.
• Operational / organisational: diversify EMS/UMS supply chains and vet vendors to reduce single-vendor systemic risk. Build regional repair surge capacity — including ships and trained crews — and establish contractual SLAs with carriers for repair and routing commitments. Conduct compound exercises that combine cable faults with cyber and weather incidents to identify coordination gaps. These measures complement, but do not replace, commercial contingency tools such as satellite backhaul; only layered technical, operational and policy steps together can reduce the chance that a local fault escalates into a regional crisis.

What to Expect Next — a Short Horizon Scan

Expect a steady rise in undersea projects and greater cable density, together with data-centre capacity concentrated near coastal hubs. New automated methods will make it easier for smaller groups to carry out harmful operations. At the same time, governments are likely to press for greater control over landing sites and supply-chain decisions. These combined shifts increase the strategic value of the cable network and the potential scope of disruption.

This is not a call for alarm but a call for more deliberate planning. Map the critical links your services rely on, monitor systems that can act without full human oversight, rehearse combined physical and cyber failures, and press suppliers and authorities to shorten repair timelines. These steps will not eliminate every risk, but they will give leaders the time and options needed when storms, ships or hostile actors test the system.

[1] TeleGeography, Submarine Cable Map / FAQs (2025).
[2] National Bureau of Asian Research, Submarine Cables (2024).
[3] SubmarineCableMap / 2Africa project details (2024–25).
[4] MarketResearchFuture / Spherical Insights, Submarine Power Cable Market Forecasts (2024–25).

[5] Falco, G. & Boschetti, N. (2025). Underwater Cyber Warfare: Submarine Communications Cables — Architecture and Cybersecurity Analysis. Proceedings of the 58th Hawaii International Conference on System Sciences.

[6] Recorded Future — Escalating global risk environment: submarine cables (2025).
[7] Anthropic, Full Threat Intelligence Report (2025). Case studies and misuse examples.

[8] The Economist, “Damage to Undersea Cable Is Disrupting Internet Access Across Africa,” 21 May 2024.
[9] Bloomberg, “NATO Backs Effort to Reroute Internet to Space in Event of Subsea Attacks,” 8 Jul 2024.
[10] Gallagher Global. (2024). Undersea Cables: How Disruption Can Lead to Financial Risk [PDF]. Published by Gallagher Global.