The National Iranian Tanker Company (NITC) and Islamic Republic of Iran Shipping Lines (IRISL), two sanctioned companies, are the operators of 64 boats, 39 tankers, and 25 cargo ships that were compromised in a targeted attack on Iran’s maritime infrastructure by the hacking collective Lab-Dookhtegan.
Rather than attempting direct breaches of individual ships, which are dispersed globally and pose significant logistical challenges, the attackers infiltrated Fanava Group, an Iranian IT provider responsible for satellite communications across the fleet.
Evidence shared by the group reveals root-level access on Linux terminals running outdated iDirect satellite software, specifically version 2.6.35, a kernel known for numerous unpatched vulnerabilities including potential remote code execution flaws that could facilitate privilege escalation.
Database dumps from MySQL instances exposed a comprehensive mapping of the fleet’s communication infrastructure, with queries extracting detailed records such as modem serial numbers, network IDs, and vessel-specific configurations for ships like the Touska, Mahnam, and Zardis.
This blueprint enabled the hackers to systematically target the Falcon software, a critical component for maintaining satellite links, effectively severing email, weather data, and port coordination capabilities.
Long-Term Sabotage
The operation’s persistence is evident from email logs and “Node Down Notification” alerts dating back to May and June, indicating that Lab-Dookhtegan maintained covert access for at least five months following their March attack on 116 vessels.
According to the report, this extended dwell time allowed for reconnaissance, testing of control mechanisms, and preparation for a scorched-earth assault in August.
Technical artifacts show the execution of destructive commands, such as ‘dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M’, which overwrote multiple storage partitions including navigation logs, message archives, system configurations, and recovery sectors with zeros, rendering the terminals irrecoverable without physical intervention.
This method, akin to a wiper malware tactic, ensures no remote restoration is possible, forcing crews to seek port-based hardware replacements and full software reinstalls, potentially sidelining vessels for weeks or months.
Compounding the damage, the attackers exfiltrated IP phone system configurations, including plaintext passwords like “1402@Argo” and “1406@Diamond,” alongside phone numbers and IP addresses, opening avenues for eavesdropping, impersonation, or further disruption of voice communications.
Strategic Implications for Sanctioned Operations
The timing and precision of this attack align with escalating geopolitical pressures, coinciding with U.S. Treasury sanctions on 13 entities involved in Iranian oil trade, echoing the group’s prior coordination with U.S. actions against Houthi forces in Yemen.
NITC and IRISL, pivotal in Iran’s sanctions-evasion strategies such as disabling tracking systems for covert oil deliveries to China now face catastrophic operational paralysis.
Without functional satellite terminals, these vessels cannot navigate reliably, coordinate deliveries, or issue distress signals, amplifying risks in high-traffic areas like the Indian Ocean.
The breach exploits inherent weaknesses in legacy systems, highlighting the dangers of unpatched software in critical infrastructure, where CVSS scores for iDirect vulnerabilities could exceed 9.0 due to their exploitability and impact on availability.
Lab-Dookhtegan’s evidence, including ship position imagery at the attack’s onset, underscores a deliberate strategy to inflict maximum economic damage, far beyond mere disruption.
This incident serves as a stark reminder of supply chain risks in maritime cybersecurity, where compromising a single provider like Fanava can cascade into fleet-wide vulnerabilities, urging enhanced threat modeling, regular patching, and zero-trust architectures for similar networks.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
