Cydome’s maritime cyber research team just published an analysis of the cyber attack by Lab Dookhtegan on Iranian oil tankers that claimed to disrupt the operation of 116 oil vessels. These oil tanker ships are said to belong to two Iranian companies associated with the government and allegedly operating against international sanctions. The group claims that the attack prevented communications both on the ship and ship-to-shore (Satcom).
“In this recent attack, Lab Dookhtegan claimed on their Telegram channel that they managed to completely disrupt the external and internal communications of 116 oil tankers belonging to Iranian government-owned companies,” Cydome said in its Wednesday blog post. “The hacktivist group claimed that the operation succeeded in fully disrupting both the external connectivity from the ship (ship-to-shore) as well as internal communications on board the vessels between the crew.”
As of yet, there is no additional evidence of this attack or its results. and reports are based on the previous credibility of the group.
The researchers noted that while Lab Dookhtegan has not publicly disclosed the exact Tactics, Techniques, and Procedures (TTPs) used, open-source reporting indicates the group likely exploited vulnerabilities in the maritime satellite communication systems that these ships rely on.
“Vessels use two-way VSAT (Very Small Aperture Terminal) satellite equipment for external connectivity,” according to the researchers. “Communication devices are known to be the common targets for cyber attacks, and vulnerabilities in network equipment are published frequently. A prior study even demonstrated that an attacker with Shodan (a device search engine) could locate ship satellite terminals and remotely compromise them using factory-set passwords, gaining the ability to alter system settings or even upload malicious firmware.”
They also observed that Lab Dookhtegan could have leveraged similar weaknesses. “From the information presented by the group, it seems that they were able to take full control of the communications system, with elevated credentials, full access to the ships’ networks, and the ability to remotely execute malicious code.”
Using this elevated access, the group seems to perform data destruction actions intended to disrupt communications, pushing the ships ‘offline.’
“The fact that malware or malicious commands were delivered to 116 vessels simultaneously indicates a high degree of automation and coordination in the attack,” according to the Cydome researchers. “Cybersecurity analysts note that executing a synchronized takedown of dozens of distributed maritime assets would require advanced capabilities, possibly including prior reconnaissance of the fleet’s IT/OT infrastructure and custom exploits tailored to the communication systems. The group also hints at collaboration with “friends who are enemies of our enemies.”
Communication devices are the bottleneck of maritime vessels. While modern communications devices can connect to multiple satellite (and terrestrial, e.g., 4/5G) connectivity services for redundancy, few are designed for cyber resilience, and in many cases, cyber protection is even embedded within the communications devices. This makes the ship’s communication device a single point of failure, and if a malicious actor hacks the communication device (VSAT or other), it can take complete control over all communications of the vessel and even spread out to the IT and OT (operational technology) systems.
Cydome assesses that this high-profile attack carries sobering implications far beyond Iran. “It underscores that maritime assets – from tankers and container ships to offshore platforms – are now firm targets in cyber warfare. It also emphasizes the need for advanced cyber protection that would enhance the vessel’s resilience to cyber attacks without relying on external connectivity and fully independent from the communications systems.”
They added that when looking at the broader picture, this large-scale, fleet-wide Lab Dookhtegan cyber attack joins other threat intelligence information recently published that shows an increase in highly targeted attacks on maritime companies and vessels (for example, the Sidewinder group focusing on shipping companies and other reports of highly targeted phishing attacks on maritime companies and crew).
As the threat level rises, Cydome recommends that shipping companies perform a comprehensive risk assessment, and install a dedicated maritime cybersecurity solution that is independent of the communications devices and protects all external and internal network traffic. They must also perform routine vulnerability scans (annual scans are too infrequent for proper protection), ensure the high and critical risks are resolved; and execute tabletop exercises to train the IT and executive teams and reveal any gaps in cyber preparedness.
