A complicated marketing campaign of cyber sabotage unfolded towards Iran’s maritime communications infrastructure in late August 2025, slicing off dozens of vessels from important satellite tv for pc hyperlinks and navigation aids.
Reasonably than focusing on every ship individually—a logistical nightmare throughout worldwide waters—the attackers infiltrated Fanava Group, the IT supplier accountable for satellite tv for pc communications to Iran’s sanctioned tanker fleets.
By compromising the corporate’s outdated iDirect Falcon terminals, they gained root entry to Linux programs operating kernel 2.6.35 and mapped the complete constellation of vessels by a centralized MySQL database.
The preliminary breach vector seems to have exploited unpatched vulnerabilities in legacy Falcon administration consoles, permitting the risk actors to execute privileged instructions and exfiltrate community mappings.
As soon as inside, they harvested modem serial numbers, community IDs, and IP telephone system configurations in plain textual content, together with credentials akin to “1402@Argo” and “1406@Diamond.”
These particulars have been then weaponized to orchestrate a synchronized blackout: e mail and FBB SIM communications failed, automated climate updates ceased, and port coordination indicators vanished nearly instantaneously.
Nariman Gharib researchers recognized that the marketing campaign, dubbed Lab-Dookhtegan, was not a one-off disruption.
Electronic mail logs relationship again to Might revealed persistent entry and periodic “Node Down” assessments, confirming that the attackers maintained management over the networks for months earlier than launching a harmful finale.
On August 18, they executed a “scorched earth” sequence, overwriting a number of storage partitions on satellite tv for pc modems with zeroed information, rendering distant restoration unimaginable.
FANAVA (Supply – Nariman Gharib)
By crippling Iran’s sanctioned fleets—NITC and IRISL—at a time when covert oil transfers to China intensify, the attackers dealt a blow to the nation’s sanctions-evasion capabilities.
With out communication hyperlinks, tankers danger drifting off-course or changing into straightforward targets for boarding and seizure. The operation’s precision underscores a deep reconnaissance section, permitting the risk actors to ship maximally disruptive payloads on the worst strategic second.
An infection Mechanism
The malware’s an infection mechanism relied on a multi-stage strategy: preliminary entry by unprotected administration ports, lateral motion through SSH keys harvested from MySQL dumps, and deployment of harmful scripts.
After gaining root on a compromised Falcon console, the attackers executed instructions akin to:-
dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
dd if=/dev/zero of=/dev/mmcblk0p2 bs=1M
These instructions systematically wiped main storage partitions and restoration slices, making certain the terminal’s firmware and configurations have been irrecoverable with out bodily intervention.
IP addresses and passwords in plain textual content (Supply – Nariman Gharib)
Concurrently, SQL queries extracted the fleet blueprint:-
SELECT serial_number, vessel_name, network_id
FROM modems;
Armed with this information, the attackers automated credential injection and shutdown sequences throughout 64 vessels with a single orchestration script.
PoCs (Supply – Nariman Gharib)
By embedding malicious cron entries, they achieved each persistence and timed execution, triggering the blackout at a second calculated to maximise operational chaos.
This an infection chain highlights the significance of isolating administration interfaces and imposing strict patch regimes on crucial satellite tv for pc communication programs.
Increase your SOC and assist your group defend your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
