Following its March analysis of the Lab Dookhtegan cyberattack on Iranian oil tankers, Cydome released its ‘Second Wave Findings’ in August, a follow-up that filled in the missing details. The incident disrupted communications on 116 vessels, exposing the fragility of maritime satellite networks and pinpointing the iDirect Falcon service as a critical weak point in VSAT terminals. What initially looked like a modem-level exploitation has now been confirmed as a provider-level compromise of Fanava’s infrastructure.
The findings reshape understanding of the campaign. Rather than isolated exploitation of shipboard terminals, attackers infiltrated Fanava’s core infrastructure, turning a satellite service provider into a single point of systemic failure. The supply chain attack allowed the adversaries to disable communications, leak sensitive data, and surveil fleet operations at scale, an attack that shifted the threat from ship-level disruption to a strategic assault on Iran’s maritime logistics backbone.
“Screenshots leaked by the attackers already showed destructive use of the dd command to wipe storage partitions and disable Falcon processes – leaving equipment onboard vessels inoperable,” Or Balog, a cybersecurity researcher at Cydome, wrote in a recent blog post. “At the time, however, the exact entry point remained unclear.”
Balog disclosed that the second wave in August 2025 provided the missing answers. “What initially appeared as modem-level exploitation has now been confirmed as the result of a provider-level compromise of Fanava’s infrastructure.”
From the outset, the attackers did not target ships individually. Instead, they infiltrated the central hub through which satellite services were delivered to the fleets of National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). This gave them the ability to carry out destructive actions across dozens of vessels simultaneously.
Balog noted that the attackers gained access to Fanava’s data center, confirming that the incident was a supply-chain compromise rather than an isolated terminal exploitation. The destructive techniques first seen in screenshots from March, which included wiping partitions and disabling Falcon, were applied systematically across fleets and forced the physical replacement of hardware onboard.
The breach also extended into corporate IT, with internal documents, network diagrams, and operational checklists leaked. Maps showing real-time vessel positions around Bandar Abbas confirmed access to AIS tracking data, escalating the incident from a communications disruption to full operational visibility. It also compromised voice communications, as control over ship-to-shore VOIP services enabled attackers to intercept or block voice traffic, thereby undermining command and coordination at sea.
Balog recognizes that, taken together, both waves of the campaign now form a coherent picture. “The first wave exposed the destructive tools and the critical role of Falcon. The second wave confirmed how those effects were achieved – through direct compromise of Fanava’s hub – and demonstrated that the techniques were applied broadly and deliberately.”
He noted this was not espionage. “It was sabotage. The systematic wiping of devices, termination of Falcon processes, and leaking of internal documents show an operation designed to disable, disrupt, and destabilize maritime communications at scale.”
For the maritime sector, the lesson is systemic. Centralized satellite infrastructure and single points of failure, such as Falcon, create national-level vulnerabilities. When a provider is compromised, the consequences cascade across entire fleets and operators.
Balog concluded that the second wave of Lab Dookhtegan’s campaign does not represent an escalation in tactics, but a clarification of what truly occurred in March. “From the very beginning, this was a provider-level supply-chain attack against Fanava’s hub.”
Earlier in August, U.K.-based Iran International identified that the two state-linked companies are central to Iran’s sanctioned economy. It reported that Lab-Dookhtegan, also known as Sewn Lips, claimed responsibility for hacking the systems of NITC and the IRISL, disrupting operations on 39 tankers and 25 cargo ships. Both companies were sanctioned by the U.S. Treasury in 2020 for aiding the Islamic Revolutionary Guard Corps’ Quds Force, the extraterrestrial wing of the IRGC.
According to the group, the breach was carried out by infiltrating Fanava Group, an Iranian IT and telecoms holding company that provides satellite communications, data storage, and payment services. They said the intrusion gave them ‘root-level’ access to the Linux operating systems running the ships’ satellite terminals, which allowed them to disable Falcon, the control software central to Iran’s maritime communications.
Disabling Falcon, the group added, severed all connections between ships and shore, leaving automatic identification system (AIS) tracking and satellite links inoperable.
“The cyberattack comes as Iran faces growing scrutiny of its shipping and oil-export networks,” according to a post. “Western governments accuse Tehran of using its maritime fleet to mask oil sales to China and others, while also supplying weapons to proxy groups, including Hezbollah and Yemen’s Houthis.”
