Lab Dookhtegan Hacking Group Disrupts Communications on Dozens of Iranian Ships
In a devastating cyberattack, the Lab Dookhtegan hacking group has disrupted communications on dozens of Iranian ships, leaving them "blind" to the outside world. The attack, which targeted satellite communications company Fannava, disabled the Falcon communications system and wiped out core data, crippling the vessels' ability to communicate with shore-based authorities, weather services, and other ships.
The hacking group allegedly disrupted the communications of 60 Iranian ships, including at least 39 tankers and 25 cargo ships operated by sanctioned firms National Iranian Oil Tanker Company (NITC) and Iran Shipping Lines. The US had imposed sanctions on these companies in recent months, making this attack all the more significant.
A Sophisticated Attack
The Lab Dookhtegan group's attack was no accident; it was a precise, calculated move to hit Iran at its most vulnerable moment. According to blog post Nariman Gharib, hackers mapped Iran's fleet modem by modem, seized Falcon comms, and maintained persistence for five months before crippling ships in August.
"Once inside, the hackers went after something called 'Falcon' – the software that keeps these satellite links alive," reported Gharib. "Think of it as the heart of the ship's communication system. Stop the Falcon, and the ship goes dark. No emails to shore, no weather updates, no port coordination, nothing."
But what's even more disturbing is that the hackers had persistent access for five months straight. They could flip systems on and off whenever they wanted, monitor every communication going through, and probably monitored phone calls between ships and ports.
The Aftermath
The attack left Iran's fleet crippled, with each affected vessel now requiring a complete system reinstall – a process that could keep ships idle for weeks or months. The hackers overwrote six storage partitions with zeros, wiped logs, configs, and recovery data, crippling the ship communications.
"I'm looking at a spreadsheet with phone numbers, IP addresses, and – this is the embarrassing part – passwords in plain text," continues Gharib. "We're talking passwords like '1402@Argo' and '1406@Diamond.' With this data, the attackers could theoretically listen to phone calls between ships and ports, impersonate vessels, or just cause more chaos by killing voice communications too."
A Second Attack in One Year
This is not the first time Lab Dookhtegan has launched a devastating cyberattack on Iranian ships. In March, they disrupted communications on 116 ships. This latest attack coincides with new US sanctions on Iranian oil, making the damage even more severe.
"The hackers didn't just cause temporary outages; each affected vessel now requires a complete system reinstall," said Gharib. "For Iran's already pressured fleet, which depends on constant communication and coordination to evade seizures, this is catastrophic."
A Call to Action
As we see the devastating impact of cyberattacks on critical infrastructure, it's clear that companies must prioritize cybersecurity and take proactive measures to protect themselves against threats like Lab Dookhtegan.
"The attack was a calculated move to hit Iran at its most vulnerable moment," said Gharib. "By all evidence, it worked. We need to be vigilant and prepared for such attacks in the future."