Cyber Attacks Target Iranian Ships Through Maritime Communication Terminals in MySQL Database

In late August 2025, a sophisticated campaign of cyber sabotage targeted Iran’s maritime communications infrastructure, severing vital satellite links and navigation aids for dozens of vessels. Instead of attacking individual ships, the threat actors infiltrated Fanava Group, the IT provider for Iran’s sanctioned tanker fleets. By compromising outdated iDirect Falcon terminals, they gained root access to Linux systems running kernel 2.6.35 and mapped the entire fleet through a centralised MySQL database. The initial breach exploited unpatched vulnerabilities in legacy Falcon management consoles, enabling the attackers to execute privileged commands and exfiltrate critical network mappings. They harvested modem serial numbers, network IDs, and IP phone system configurations in plain text, including sensitive credentials. This information was weaponised to orchestrate a synchronised blackout, resulting in the failure of email and FBB SIM communications, the cessation of automated weather updates, and the disappearance of port coordination signals.

Researchers from Nariman Gharib identified the operation, dubbed Lab-Dookhtegan, as a prolonged campaign rather than a one-off disruption. Email logs dating back to May indicated persistent access and periodic “Node Down” tests, confirming that the attackers maintained control over the networks for months before executing a destructive finale. On August 18, they initiated a “scorched earth” sequence, overwriting multiple storage partitions on satellite modems with zeroed data, making remote recovery impossible. By crippling Iran’s sanctioned fleets—NITC and IRISL—during a time of intensified covert oil transfers to China, the attackers significantly undermined the country’s sanctions-evasion capabilities. Without communication links, tankers risked drifting off-course or becoming vulnerable to boarding and seizure. The operation’s precision highlighted a thorough reconnaissance phase, allowing the threat actors to deliver maximally disruptive payloads at a strategically critical moment. The malware’s infection mechanism employed a multi-stage approach, gaining initial access through unprotected management ports, lateral movement via SSH keys harvested from MySQL dumps, and the deployment of destructive scripts. After gaining root access on a compromised Falcon console, the attackers executed commands that systematically wiped primary storage partitions and recovery slices, ensuring irrecoverability without physical intervention. 

Categories: Cyber Sabotage, Maritime Security, Vulnerability Exploitation 

Tags: Cyber Sabotage, Maritime Communications, Satellite Links, Fanava Group, Legacy Vulnerabilities, Network Mappings, Scorched Earth, Sanctions-Evasion, Infection Mechanism, Destructive Payloads