A sophisticated campaign of cyber sabotage unfolded against Iran’s maritime communications infrastructure in late August 2025, cutting off dozens of vessels from vital satellite links and navigation aids.
Rather than targeting each ship individually—a logistical nightmare across international waters—the attackers infiltrated Fanava Group, the IT provider responsible for satellite communications to Iran’s sanctioned tanker fleets.
By compromising the company’s outdated iDirect Falcon terminals, they gained root access to Linux systems running kernel 2.6.35 and mapped the entire constellation of vessels through a centralized MySQL database.
The initial breach vector appears to have exploited unpatched vulnerabilities in legacy Falcon management consoles, allowing the threat actors to execute privileged commands and exfiltrate network mappings.
Once inside, they harvested modem serial numbers, network IDs, and IP phone system configurations in plain text, including credentials such as “1402@Argo” and “1406@Diamond.”
These details were then weaponized to orchestrate a synchronized blackout: email and FBB SIM communications failed, automated weather updates ceased, and port coordination signals vanished almost instantaneously.
Nariman Gharib researchers identified that the campaign, dubbed Lab-Dookhtegan, was not a one-off disruption.
Email logs dating back to May revealed persistent access and periodic “Node Down” tests, confirming that the attackers maintained control over the networks for months before launching a destructive finale.
On August 18, they executed a “scorched earth” sequence, overwriting multiple storage partitions on satellite modems with zeroed data, rendering remote recovery impossible.
.webp "Hackers Sabotage Iranian Ships Using Maritime Communications Terminals in Its MySQL Database 3")
By crippling Iran’s sanctioned fleets—NITC and IRISL—at a time when covert oil transfers to China intensify, the attackers dealt a blow to the country’s sanctions-evasion capabilities.
Without communication links, tankers risk drifting off-course or becoming easy targets for boarding and seizure. The operation’s precision underscores a deep reconnaissance phase, allowing the threat actors to deliver maximally disruptive payloads at the worst strategic moment.
Infection Mechanism
The malware’s infection mechanism relied on a multi-stage approach: initial access through unprotected management ports, lateral movement via SSH keys harvested from MySQL dumps, and deployment of destructive scripts.
After gaining root on a compromised Falcon console, the attackers executed commands akin to:-
dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
dd if=/dev/zero of=/dev/mmcblk0p2 bs=1MThese commands systematically wiped primary storage partitions and recovery slices, ensuring the terminal’s firmware and configurations were irrecoverable without physical intervention.
.webp "Hackers Sabotage Iranian Ships Using Maritime Communications Terminals in Its MySQL Database 4")
Simultaneously, SQL queries extracted the fleet blueprint:-
SELECT serial_number, vessel_name, network_id
FROM modems;Armed with this data, the attackers automated credential injection and shutdown sequences across 64 vessels with a single orchestration script.
.webp "Hackers Sabotage Iranian Ships Using Maritime Communications Terminals in Its MySQL Database 5")
By embedding malicious cron entries, they achieved both persistence and timed execution, triggering the blackout at a moment calculated to maximize operational chaos.
This infection chain highlights the importance of isolating management interfaces and enforcing strict patch regimes on critical satellite communication systems.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
