“`html
A complex scheme of cyber sabotage materialized against Iran’s maritime communication system in late August 2025, severing numerous vessels from essential satellite connections and navigational tools.
Instead of striking each ship separately—a logistical headache over international waters—the assailants breached Fanava Group, the IT service provider accountable for satellite communication to Iran’s sanctioned oil tankers.
By compromising the firm’s obsolete iDirect Falcon terminals, they obtained root access to Linux systems operating on kernel 2.6.35 and delineated the complete fleet of vessels through a consolidated MySQL database.
The primary breach point seemingly leveraged unpatched flaws in outdated Falcon management consoles, permitting the perpetrators to execute privileged commands and extract network maps.
Once inside, they collected modem serial numbers, network IDs, and IP telephone system settings in plain text, revealing credentials like “1402@Argo” and “1406@Diamond.”
This information was then utilized to orchestrate a simultaneous blackout: email and FBB SIM communications failed, automated weather updates halted, and port coordination signals disappeared almost abruptly.
Nariman Gharib researchers discovered that the operation, referred to as Lab-Dookhtegan, was not a singular disruption.
Email logs tracing back to May indicated sustained access and periodic “Node Down” tests, confirming that the attackers retained command over the networks for months prior to executing a destructive conclusion.
On August 18, they activated a “scorched earth” sequence, overwriting various storage partitions on satellite modems with zeroed data, making remote recovery unattainable.
.webp)
By incapacitating Iran’s sanctioned fleets—NITC and IRISL—during a period of intensified covert oil transfers to China, the attackers struck a blow to the nation’s sanctions-evasion tactics.
Without communication links, tankers are at risk of straying off-course or becoming vulnerable targets for boarding and capture. The operation’s precision indicates an extensive reconnaissance phase, empowering the assailants to deliver profoundly disruptive payloads at the most critical moment.
Infection Mechanism
The malware’s infection strategy employed a multi-tiered method: initial entry through unsecured management ports, lateral movement via SSH keys extracted from MySQL dumps, and execution of destructive scripts.
After obtaining root access on a compromised Falcon console, the assailants executed commands similar to:
dd if=/dev/zero of=/dev/mmcblk0p1 bs=1M
dd if=/dev/zero of=/dev/mmcblk0p2 bs=1MThese commands methodically eliminated primary storage sections and recovery slices, ensuring that the terminal’s firmware and configurations were irretrievable without physical intervention.
.webp)
Concurrently, SQL queries extracted the fleet configuration:
SELECT serial_number, vessel_name, network_id
FROM modems;Equipped with this data, the assailants automated credential injection and shutdown sequences across 64 vessels with a singular orchestration script.
.webp)
By integrating malevolent cron entries, they attained both persistence and timed execution, initiating the blackout at a moment calculated to enhance operational disorder.
This infection sequence underscores the necessity of isolating management interfaces and implementing stringent patch protocols on critical satellite communication systems.
“`