A Massive Cyberattack on Iran’s Maritime Industry
Hackers Knock Out Iranian Ship Communications in Major Cyberattack. A hacktivist group known as Lab-Dookhtegan has claimed responsibility for a large-scale cyberattack on Iran’s shipping industry. The attack disabled communications on more than 60 Iranian cargo ships and oil tankers, crippling critical maritime systems.
According to UK-based Iran International, this is one of the biggest cyberattacks to ever hit Iran’s maritime sector. The disruption affected 25 cargo ships and 39 tankers run by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). Both companies are on the US sanctions list.
How Did The Hackers Take Control of Iranian Vessels?
The attackers claim they gained admin-level access to Linux-based systems powering ship satellite terminals. They then disabled Falcon software, a key system keeping ships connected to shore.
Disabling Falcon meant complete loss of communication, leaving AIS tracking and satellite links inoperable. The attackers also targeted Fanava Group, an Iranian IT provider supplying satellite communication services to NITC and IRISL. By compromising this supplier, the hackers spread disruption across the entire maritime network.
What Was The Evidence of Data Destruction?
Cyber researcher Nariman Gharib revealed the attack went far beyond cutting communications. He reviewed logs showing hackers carried out systematic data destruction on the vessels.
The attackers overwrote six storage partitions with zeros, wiping:
- Navigation logs
- Message archives
- System configurations
- Recovery partitions
This destruction means weeks or months of downtime per ship, as each vessel now requires manual reinstallations of communications systems.
Hackers Were Inside Ship Systems for Months
Perhaps most alarming, Lab-Dookhtegan had access to shipboard systems as early as May. For months, they maintained persistent access, waiting for the right moment to strike.
During this time, they could have:
- Monitored or blocked IP phone calls between ships and ports
- Impersonated voices during communications
- Disabled voice systems entirely
This extended access shows how vulnerable critical maritime infrastructure can be once compromised.
Lab-Dookhtegan’s History of Cyberattacks
Lab-Dookhtegan first appeared in 2019, leaking tools and data from Iranian state hackers APT34 (OilRig/Helix Kitten). Since then, they have carried out multiple campaigns targeting Iran’s shipping and oil trade.
Earlier this year, the group claimed responsibility for attacking 116 ships, accusing Iran of selling oil to China and arms to Houthi rebels in Yemen. This latest cyberattack comes just after the US Treasury added 13 more companies to sanctions for dealing with Iranian oil.
What Are The Cybersecurity Lessons We Can Learn From the Attack?
Experts say the attack highlights how geopolitical tensions play out in cyberspace, with hacktivists and nation-states both targeting vital industries.
Trey Ford, Chief Strategy Officer at Bugcrowd, warns businesses to consider the risks of supply chain dependencies. He stresses that many organizations overlook how their operations depend on vulnerable partners and service providers.
The incident underscores two major cybersecurity lessons:
- A single compromised supplier can cause widespread industry disruption.
- Organizations must plan for degraded operations when communication systems are down.
The Rising Risk of Maritime Cyberattacks
The incident is a stark reminder of how a single, well-placed attack on a strategic supplier can cascade into widespread disruption across an entire industry. When your communications backbone goes down, how do you operate in a degraded state, and what does it take to keep operations going until systems are online?
The Iranian ship cyberattack is a clear example of how modern threats can disable entire industries. By targeting foundational service providers and communication platforms, attackers can cause lasting damage.
For maritime companies and critical industries worldwide, this serves as a warning. Cyber resilience, supply chain security, and disaster recovery planning are now essential for survival in today’s threat landscape.
