In late August 2025, a sophisticated cyberattack targeted Iran’s maritime communications infrastructure, severing satellite links and navigation aids for numerous vessels. Instead of attacking each ship individually—a daunting task given the vastness of international waters—the perpetrators infiltrated the Fanava Group, the IT provider responsible for satellite communications to Iran’s sanctioned tanker fleets.
By compromising the company’s outdated iDirect Falcon terminals, the attackers gained root access to Linux systems running kernel 2.6.35. This access allowed them to map the entire fleet through a centralized MySQL database. The initial breach likely exploited unpatched vulnerabilities in legacy Falcon management consoles, enabling the execution of privileged commands and exfiltration of network mappings.
Once inside, the attackers harvested modem serial numbers, network IDs, and IP phone system configurations stored in plain text, including credentials such as 1402@Argo and 1406@Diamond. Armed with this information, they orchestrated a synchronized blackout: email and FBB SIM communications failed, automated weather updates ceased, and port coordination signals disappeared almost instantaneously.
Researchers from Nariman Gharib identified that this campaign, dubbed Lab-Dookhtegan, was not a one-time disruption. Email logs dating back to May revealed persistent access and periodic Node Down tests, indicating that the attackers maintained control over the networks for months before executing their final, destructive act.
On August 18, they initiated a scorched earth sequence, overwriting multiple storage partitions on satellite modems with zeroed data, rendering remote recovery impossible. By crippling Iran’s sanctioned fleets—NITC and IRISL—at a time when covert oil transfers to China were intensifying, the attackers dealt a significant blow to the country’s sanctions-evasion capabilities. Without communication links, tankers risk drifting off-course or becoming easy targets for boarding and seizure. The operation’s precision underscores a deep reconnaissance phase, allowing the threat actors to deliver maximally disruptive payloads at the worst strategic moment.
Infection Mechanism
The malware’s infection mechanism relied on a multi-stage approach: initial access through unprotected management ports, lateral movement via SSH keys harvested from MySQL dumps, and deployment of destructive scripts. After gaining root access on a compromised Falcon console, the attackers executed commands such as:
“`
dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
dd if=/dev/zero of=/dev/mmcblk0p2 bs=1M
“`
These commands systematically wiped primary storage partitions and recovery slices, ensuring the terminal’s firmware and configurations were irrecoverable without physical intervention. Simultaneously, SQL queries extracted the fleet blueprint:
“`
SELECT serial_number, vessel_name, network_id
FROM modems;
“`
With this data, the attackers automated credential injection and shutdown sequences across 64 vessels using a single orchestration script. By embedding malicious cron entries, they achieved both persistence and timed execution, triggering the blackout at a moment calculated to maximize operational chaos.
This infection chain highlights the importance of isolating management interfaces and enforcing strict patch regimes on critical satellite communication systems.
