Lab Dookhtegan Hacking Group Cripples Communications of 60 Iranian Ships in Targeted Cyberattack
The hacking group Lab Dookhtegan disrupted communications for 60 Iranian ships, targeting sanctioned firms NITC and IRISL. Learn how the attackers exploited outdated satellite systems, maintained persistence for months, and left Iran's maritime fleet in chaos.
TL;DR
The Lab Dookhtegan hacking group executed a devastating cyberattack on 60 Iranian ships, disabling their satellite communications and leaving them “blind.” The attack targeted vessels operated by sanctioned companies NITC and IRISL, exploiting outdated software and maintaining five months of undetected access before striking in August 2025. This incident marks the group’s second major attack this year, coinciding with new U.S. sanctions on Iranian oil, and has left the fleet facing weeks or months of downtime.
Lab Dookhtegan Hacking Group Disrupts Communications for 60 Iranian Ships
The Lab Dookhtegan hacking group has claimed responsibility for a large-scale cyberattack that disrupted communications for 60 Iranian ships, including 39 oil tankers and 25 cargo vessels. The targeted ships are operated by two U.S.-sanctioned Iranian maritime companies:
- National Iranian Oil Tanker Company (NITC)
- Iran Shipping Lines (IRISL)
The attack, which unfolded in August 2025, exploited vulnerabilities in outdated satellite communication systems, leaving the vessels incapable of coordinating navigation, weather updates, or emergency responses.
How the Attack Unfolded
1️⃣ Breach of Satellite Communications Provider
The hackers compromised Fannava, an Iranian satellite communications company, and disabled the Falcon communication system—a critical component for ship-to-shore coordination. According to reports, the attackers wiped core data, including logs, configurations, and recovery files, rendering the systems irrecoverable without a full reinstall 1.
2️⃣ Exploitation of Outdated Software
Lab Dookhtegan gained root access to Linux terminals running iDirect satellite software (version 2.6.35), a decade-old system that fails to meet basic cybersecurity standards. Screenshots published by the group confirmed their ability to control and manipulate the communication infrastructure 2.
“Think of [Falcon] as the heart of the ship’s communication system. Stop the Falcon, and the ship goes dark. No emails to shore, no weather updates, no port coordination, nothing.” — Nariman Gharib, Cybersecurity Researcher 2
3️⃣ Five Months of Undetected Persistence
The attackers infiltrated Iran’s maritime network as early as May 2025, maintaining persistent access for five months. During this period, they:
- Mapped Iran’s fleet modem by modem
- Monitored communications
- Prepared for a coordinated takedown in August
Email logs and timestamps revealed the long-term infiltration, suggesting the group could have caused chaos at any moment but chose a strategic time—aligning with new U.S. sanctions on Iranian oil—to maximize impact 2.
4️⃣ Permanent Damage and Data Wiping
Lab Dookhtegan didn’t just disrupt operations—they sought permanent damage. The group:
- Overwrote six storage partitions with zeros
- Deleted logs, configurations, and recovery data
- Exposed sensitive credentials, including plaintext passwords (e.g.,
1402@Argo,1406@Diamond)
With this level of access, the attackers could:
- Eavesdrop on ship-to-port communications
- Impersonate vessels
- Disrupt voice communications
Source: Nariman Gharib Blog 2
Why This Attack Is Catastrophic for Iran
🔹 Operational Paralysis
The attack didn’t just cause temporary outages—it crippled Iran’s maritime fleet. Affected vessels now require a complete system reinstall, a process that could take weeks or months. For a fleet already under pressure to evade seizures and sanctions, this downtime is disastrous.
🔹 Strategic Timing
The attack coincided with new U.S. sanctions on Iranian oil, amplifying its impact. By cutting off communications, Lab Dookhtegan ensured that Iran’s ability to coordinate shipments, avoid seizures, and respond to emergencies was severely compromised.
🔹 Second Major Attack in 2025
This incident follows Lab Dookhtegan’s March 2025 attack, which disrupted 116 Iranian ships. The recurring strikes suggest a deliberate, long-term campaign to undermine Iran’s maritime capabilities.
Broader Implications for Maritime Cybersecurity
🔴 Vulnerabilities in Legacy Systems
The attack highlights the critical risks of relying on outdated software in maritime operations. Systems like iDirect 2.6.35 lack modern security protections, making them prime targets for cybercriminals.
🔴 The Rise of State-Aligned Hacking Groups
Lab Dookhtegan’s precision and timing suggest potential state alignment or geopolitical motivations. As cyber warfare evolves, maritime infrastructure is increasingly becoming a battleground for digital conflicts.
🔴 Need for Enhanced Cybersecurity Measures
This incident underscores the urgency for:
- Regular software updates
- Multi-factor authentication (MFA)
- Continuous network monitoring
- Incident response planning
Conclusion
The Lab Dookhtegan cyberattack on Iran’s maritime fleet is a wake-up call for the global shipping industry. By exploiting outdated systems and maintaining long-term persistence, the group demonstrated how cyber vulnerabilities can paralyze critical infrastructure. As geopolitical tensions rise, maritime cybersecurity must become a top priority to prevent future disruptions.
For Iran, the road to recovery will be long and costly, with weeks or months of downtime ahead. The attack serves as a stark reminder: in the digital age, no industry is immune to cyber threats.
Additional Resources
For further insights, explore:
- Nariman Gharib’s Blog: Lab Dookhtegan Analysis 2
- SecurityAffairs: Full Report on the Attack 1
- U.S. Sanctions on Iranian Oil: Latest Updates
References
-
SecurityAffairs (2025). “Lab Dookhtegan disrupts communications of dozens of Iranian ships”. Retrieved 2025-08-30. ↩︎ ↩︎2
-
Nariman Gharib (2025). “How Lab-Dookhtegan Hacked Iran’s Maritime Fleet”. Retrieved 2025-08-30. ↩︎ ↩︎2 ↩︎3 ↩︎4 ↩︎5