In late August 2025, Iran’s maritime sector was hit by a major cyber sabotage operation that abruptly severed dozens of tankers from their satellite communication channels and navigation feeds. Instead of striking individual ships, the attackers went after Fanava Group, the IT contractor responsible for Iran’s tanker fleets. By exploiting legacy iDirect Falcon terminals still running on the Linux kernel 2.6.35, they gained root privileges and accessed a centralized MySQL system that tracked vessel connections.
Investigators believe the intrusion began with weaknesses in unpatched Falcon consoles, which exposed management ports to remote exploitation. Once inside, the intruders exfiltrated modem serial numbers, IP telephony records, and plain-text login details, including “1402@Argo” and “1406@Diamond.”
From there, they extracted the fleet blueprint using direct SQL queries such as: SELECT serial_number, vessel_name, network_id FROM modems. Using this data, attackers automated the injection of credentials and coordinated synchronized shutdowns on 64 ships. Email systems, FBB SIM communications, weather updates, and port coordination collapsed almost instantly.
Researchers from Nariman Gharib show the campaign, tagged Lab-Dookhtegan, was months in the making. Logs dating back to May revealed “Node Down” events during the trial, confirming that the network had been under persistent control long before the destructive finale.
On August 18, the attackers deployed a “scorched-earth” routine. Using destructive commands like:
dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
dd if=/dev/zero of=/dev/mmcblk0p2 bs=1M
They wiped modem storage partitions, effectively bricking satellite terminals and eliminating any chance of remote recovery. Malicious cron jobs caused the blackout to happen at a strategically selected moment to create maximum chaos. The blackout coincided with a surge in secret oil transfers bound for Chinese ports, resulting in both financial and strategic consequences for the loss of maritime communications. Beyond the immediate impact, specialists note that the intrusion exposed systemic weaknesses, management consoles left unprotected, outdated kernels in use, and little isolation between operational networks and satellite links.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
