This is not the first time. Just five months earlier, the same group claimed responsibility for a similar campaign that targeted 119 Iranian tankers. The technical approach seems consistent: compromise of the Iranian VSAT provider Fanava, followed by lateral movement into the VSAT equipment installed onboard the ships. The attackers wiped iDirect modems, forcing manual reinstallation and recovery - a method designed to maximize disruption and extend downtime.

‍

Why it works

Targeting SATCOM providers is effective because they represent a weak link in global infrastructure. They operate large, heterogeneous networks with multiple partners and equipment vendors, often with limited segmentation or outdated security controls. Many systems remain directly exposed to the internet. This combination creates a broad attack surface where a single breach can cascade into widespread service disruption. The russian attack on Viasat in February 2022, which disabled thousands of terminals in Europe on the day of the Ukraine invasion, is perhaps the most visible proof of this strategy’s effectiveness.

‍

A long-standing problem

SATCOM insecurity is not a new story. As early as 2014, research presented at BlackHat highlighted severe vulnerabilities across aviation, maritime, and industrial SATCOM equipment. A follow-up in 2018 underscored the poor security posture in the maritime sector, with researchers demonstrating how entire fleets could be compromised via weaknesses in VSAT providers. At the time, incidents surfaced where even commodity malware like Mirai had infected antenna control units that were directly exposed online.

Although industry awareness and security measures have improved in recent years, the case of the Iranian fleets illustrates that systemic weaknesses persist. SATCOM remains a tempting target because of its operational criticality and the often sluggish pace of modernization in maritime and remote communications.

‍

Political context

This attack is not purely technical. Both NITC and IRISL are under international sanctions due to their role in Iran’s nuclear program and other activities. That makes the operation inherently geopolitical, blurring the line between hacktivism and state-aligned offensive cyber activity. The parallels are striking with the U.S. cyber operation in February 2024, which disabled communications on an Iranian intelligence vessel during the Houthi crisis. While details of that operation remain classified, it demonstrated the same principle: disabling communications at sea is a powerful lever in regional conflicts.

‍

Conclusions

The Lab Dookhtegan operation reinforces a critical reality: SATCOM is still a fragile cornerstone of global infrastructure. Disrupting a provider or modem fleet can paralyze entire sectors with immediate operational and financial impact. Maritime operators, in particular, remain exposed, relying on equipment and architectures that were never designed with today’s threat environment in mind.

More importantly, the attack highlights how the boundary between cyber activism and statecraft continues to blur. While this round targeted sanctioned Iranian fleets, tomorrow it could be commercial shipping, aviation, or energy operators in another part of the world. SATCOM is global by design, and so too are its vulnerabilities. In this sense, the incident is less about Iran and more about the ongoing risks inherent to an under-protected, mission-critical infrastructure. Unless operators and providers commit to real investment in security - segmentation, monitoring, firmware hardening, and regular testing - SATCOM will remain a readily exploitable weak link in the global supply chain.

‍

‍_{Author: Nessa, Cyber Journalist}

_{Photo: gtmaritime.com}

‍

‍

‍