The raid happened at night on 31 May about 10 nautical miles from Iraq's deep-water oil terminal where most of its crude oil is exported.
"They tried to enter the bridge claiming to be policemen. The master denied them entry and the pirates became violent ... they assaulted the master causing him injuries and demanded money," the International Maritime Bureau (IMB) said in a report on Wednesday.
The Nord Millennium was capable of carrying 300,000 tonnes of crude when fully loaded.
A warship belonging to the US-led forces arrived to assist following a mayday signal.
Jayant Abhyankar, deputy director of the IMB, told reporters the incident raised questions about security at the oil terminal, Iraq's main outlet for oil exports that provide nearly all of its income.
Lieutenant Commander Charlie Brown of the US Navy's Fifth Fleet said the navy was only directly responsible for security at the oil terminals themselves.
"We do conduct maritime security operations in the Gulf, we are patrolling the area and we do want to set those conditions for security and stability.
"They tried to enter the bridge claiming to be policemen. The master denied them entry and the pirates became violent"
International Maritime Bureau report
"But those ships that are transiting to and from, that are not at the terminals, need to provide some of their own security
as well," he said.
Brown also said standard practices like watches and guards on anchor chains would suffice.
Security was stepped up last year at the southern Basra oil terminal after al-Qaida's al-Zarqawi group carried out boat attacks at the terminal.
In late April, security was also tightened at the Iraqi port of Umm Qasr after an armed group raided a vessel carrying Australian wheat. The ship was at anchor some distance from the port when the incident occurred.