The Iranian anti-government hacktivist group “Lab Dookhtegan” (“sealed lips” in Farsi) announced on March 18th, 2025, that it had successfully disrupted all communications for 116 oil tanker ships belonging to two Iranian companies that are associated with the government and allegedly operate against international sanctions. The group claims that the attack prevented communications both on the ship and ship-to-shore (Satcom).
Communication devices are the bottleneck of maritime vessels. While modern communications devices can connect to multiple satellite (and terrestrial, e.g., 4/5G) connectivity services for redundancy, few are designed for cyber resilience, and in many cases, cyber protection is even embedded within the communications devices. This makes the ship’s communication device a single point of failure, and if a malicious actor hacks the communication device (VSAT or other), it can take complete control over all communications of the vessel and even spread out to the IT and OT systems.
The Lab Dookhtegan attack on Iranian oil tankers
Lab Dookhtegan is an Iranian anti-government hacktivist collective that emerged around 2019, announcing operations aimed to undermine Iran’s government cyber operations. The name “Lab Dookhtegan” translates from Farsi literally as “sewn lips” or “closed lips.” In the past, the group was associated with the “doxing” (revealing publicly) of an elite Iranian cyber-espionage unit, apparently disrupting those cyber espionage activities.
In this recent attack, Lab Dookhtegan claimed on their Telegram channel that they managed to completely disrupt the external and internal communications of 116 oil tankers belonging to Iranian government-owned companies. The hacktivist group claimed that the operation succeeded in fully disrupting both the external connectivity from the ship (ship-to-shore) as well as internal communications on board the vessels between the crew.
As of yet, there is no additional evidence of this attack or its results and reports are based on the previous credibility of the group.
Source: Lab Dookhtegan Telegram
Method of attack
While Lab Dookhtegan has not publicly disclosed the exact Tactics, Techniques, and Procedures (TTPs) used, open-source reporting indicates the group likely exploited vulnerabilities in the maritime satellite communication systems that these ships rely on.
Vessels use two-way VSAT (Very Small Aperture Terminal) satellite equipment for external connectivity. Communication devices are known to be the common targets for cyber attacks, and vulnerabilities in network equipment are published frequently. A prior study even demonstrated that an attacker with Shodan (a device search engine) could locate ship satellite terminals and remotely compromise them using factory-set passwords, gaining the ability to alter system settings or even upload malicious firmware.
Lab Dookhtegan could have leveraged similar weaknesses. From the information presented by the group, it seems that they were able to take full control of the communications system, with elevated credentials, full access to the ships’ networks and ability to remotely execute malicious code:
Source: Lab Dookhtegan Telegram
Using this elevated access, the group seems to perform data destruction actions intended to disrupt communications, pushing the ships “offline”:
Source: Lab Dookhtegan Telegram
The fact that malware or malicious commands were delivered to 116 vessels simultaneously indicates a high degree of automation and coordination in the attack. Cybersecurity analysts note that executing a synchronized takedown of dozens of distributed maritime assets would require advanced capabilities, possibly including prior reconnaissance of the fleet’s IT/OT infrastructure and custom exploits tailored to the communication systems. The group also hints at collaboration with “friends who are enemies of our enemies.”
Broader Cybersecurity Implications for Maritime Sector
This high-profile attack carries sobering implications far beyond Iran. It underscores that maritime assets – from tankers and container ships to offshore platforms – are now firm targets in cyber warfare. It also emphasizes the need for advanced cyber protection that would enhance the vessel’s resilience to cyber attacks without relying on external connectivity and fully independent from the communications systems.
When looking at the broader picture, this large-scale, fleet-wide cyber attack join other threat intelligence information recently published that shows an increase in highly targeted attacks on maritime companies and vessels (for example, see our blog on the Sidewinder group focusing on shipping companies, and there are other reports of highly targeted phishing attacks on maritime companies and crew).
What should shipping companies do
As the threat level rises, we recommend shipping companies to:
- Perform a comprehensive risk assessment.
- Install a dedicated maritime cybersecurity solution that is independent of the communications devices and protects all external and internal network traffic.
- Perform routine vulnerabilities scans (annual scans are too infrequent for proper protection), and ensure the high and critical risks are resolved.
- Perform tabletop exercises to train the IT and executive teams and reveal any gaps in cyber preparedness. For example – see this recent exercise Cydome conducted together with Ammitec in Athens.
Feel free to contact us with any questions or comments.
