A sophisticated campaign of cyber sabotage unfolded against Iran\u2019s maritime communications infrastructure in late August 2025, cutting off dozens of vessels from vital satellite links and navigation aids.<\/p>\n
Rather than targeting each ship individually\u2014a logistical nightmare across international waters\u2014the attackers infiltrated Fanava Group, the IT provider responsible for satellite communications to Iran\u2019s sanctioned tanker fleets.<\/p>\n
By compromising the company\u2019s outdated iDirect Falcon terminals, they gained root access to Linux systems running kernel 2.6.35 and mapped the entire constellation of vessels through a centralized MySQL database<\/a>.<\/p>\n The initial breach vector appears to have exploited unpatched vulnerabilities in legacy Falcon management consoles, allowing the threat actors to execute privileged commands and exfiltrate network mappings.<\/p>\n Once inside, they harvested modem serial numbers, network IDs, and IP phone system configurations in plain text, including credentials such as \u201c1402@Argo\u201d and \u201c1406@Diamond.\u201d<\/p>\n These details were then weaponized to orchestrate a synchronized blackout: email and FBB SIM communications failed, automated weather updates ceased, and port coordination signals vanished almost instantaneously.<\/p>\n Nariman Gharib researchers identified<\/a> that the campaign, dubbed Lab-Dookhtegan, was not a one-off disruption.<\/p>\n Email logs dating back to May revealed persistent access and periodic \u201cNode Down\u201d tests, confirming that the attackers maintained control over the networks for months before launching a destructive finale.<\/p>\n On August 18, they executed a \u201cscorched earth\u201d sequence, overwriting multiple storage partitions on satellite modems with zeroed data, rendering remote recovery impossible.<\/p>\n By crippling Iran\u2019s sanctioned fleets\u2014NITC and IRISL\u2014at a time when covert oil transfers to China intensify, the attackers dealt a blow to the country\u2019s sanctions-evasion capabilities.<\/p>\n Without communication links, tankers risk drifting off-course or becoming easy targets for boarding and seizure. The operation\u2019s precision underscores a deep reconnaissance<\/a> phase, allowing the threat actors to deliver maximally disruptive payloads at the worst strategic moment.<\/p>\n The malware\u2019s infection mechanism relied on a multi-stage approach: initial access through unprotected management ports, lateral movement via SSH keys harvested from MySQL dumps, and deployment of destructive scripts.<\/p>\n After gaining root on a compromised Falcon console, the attackers executed commands akin to:-<\/p>\n These commands systematically wiped primary storage partitions and recovery slices, ensuring the terminal\u2019s firmware and configurations were irrecoverable without physical intervention.<\/p>\n Simultaneously, SQL queries extracted the fleet blueprint:-<\/p>\n Armed with this data, the attackers automated credential<\/a> injection and shutdown sequences across 64 vessels with a single orchestration script.<\/p>\n By embedding malicious cron entries, they achieved both persistence and timed execution, triggering the blackout at a moment calculated to maximize operational chaos.<\/p>\n This infection chain highlights the importance of isolating management interfaces and enforcing strict patch regimes on critical satellite communication systems.<\/p>\n The post Hackers Sabotage Iranian Ships Using Maritime Communications Terminals in Its MySQL Database<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgnY4X5gYzvGqHe8C5Skqf64ZFwI4gsBfENFW-QK89zpfJUh8Y0_7UaI7PI7U41x0jpO9NU7EXDfoatYls_uAZKBFm-kWF2gW9nlwK12nQ3I0NEoAXJ4ISz_hV8QqLISgcgglSyYgQO9AHHhxW46w7M15Qw2R2uU9zYXvXwX_ESLgE2nvLrh5BB__h3dgs\/s16000\/FANAVA%2520%28Source%2520-%2520Nariman%2520Gharib%29.webp?ssl=1\")
Infection Mechanism<\/strong><\/h2>\n
dd if=\/dev\/zero of=\/dev\/mmcblk0p1 bs=1M\ndd if=\/dev\/zero of=\/dev\/mmcblk0p2 bs=1M<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjwef7mZp4ZVtrdKbK-wE3BW7ejbf0cF1HOdjnDCOggJP4GYjZ0hCXcbacSFb5nwVBWxSq1gbF2Azmjgk7kyRpeACCL6_VZu5iue5USg8nNFXh4l1-u2jEQeeg75HQhKp3NQ51mbfCBwScrc7SwRx8PdcI-ncDHGb2MSy5ttbacVX852cBxp1vCvV6GPJA\/s16000\/IP%2520addresses%2520and%2520passwords%2520in%2520plain%2520text%2520%28Source%2520-%2520Nariman%2520Gharib%29.webp?ssl=1\")
SELECT serial_number, vessel_name, network_id\nFROM modems;<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjrjfBzg0obE8pyatM42Hc-iH1Rl7drQzhXuByp0hIQe8SFwtaz5CqlQhlrDBkTV5p41StnDUMjSwxZKhkaq8lh2LKRqcgD4ZhCUIfk_qdjt1VeTcBY-BrXIJBnoN7cRTNOsEznz4skhFBI83tgsz6J4OKxc23yUlpE16ewcgV4I54eJKym4PcmIHAcZTU\/s16000\/PoCs%2520%28Source%2520-%2520Nariman%2520Gharib%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n