Hacktivists Cripple Iranian Tankers in Massive Cyberattack

A shadowy hacktivist group with a long history of exposing Tehran’s cyber operations is taking credit for one of the most disruptive maritime cyber incidents in Iran’s history. The crew, known as Lab-Dookhtegan (“Sewn Lips”), says it bricked critical communications systems aboard dozens of Iranian oil tankers and cargo vessels, effectively cutting them off from the outside world.

According to UK-based outlet Iran International, the attack disabled communications on 25 cargo ships and 39 tankers tied to the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). Both organizations are already sanctioned by the U.S. Treasury for their links to the Iranian government.

Total System Lockout

Lab-Dookhtegan claims it gained administrator-level access to the Linux systems powering the vessels’ satellite terminals. From there, the group shut down Falcon, the software responsible for ship-to-shore connectivity. With Falcon offline, the ships lost their AIS tracking, satellite links, and secure messaging — leaving them blind and silent on the seas.

The attackers reportedly gained their initial foothold by compromising Fanava Group, a domestic IT contractor supplying satellite services to both NITC and IRISL. The case underscores how a single vendor breach can cascade into industry-wide disruption, a lesson painfully learned by other critical sectors worldwide.

Fanava has not responded to repeated requests for comment.

Data Destruction, Not Just Disruption

London-based cyber researcher Nariman Gharib, who has tracked Lab-Dookhtegan for years, said the group’s tactics went far beyond cutting off communications. After analyzing logs and screenshots shared by the attackers, he described “systematic destruction” of onboard data.

“They overwrote six storage partitions with zeros,” Gharib noted. “Navigation logs, archives, system configs, even the recovery partitions — gone. The only way forward is to physically board each vessel and reinstall from scratch. That could mean weeks or months of downtime per ship.”

Perhaps most unsettling, evidence suggests the hackers had persistent access since May — lurking inside shipboard systems for months before finally pulling the plug. During that time, they could have monitored calls through hijacked IP phone systems, spoofed voices, or disabled communications altogether.

A Pattern of Escalation

Lab-Dookhtegan first emerged in 2019 when it leaked tools and identities linked to Iran’s cyber-espionage unit APT34 (OilRig/Helix Kitten). The group resurfaced earlier this year, claiming to have disrupted communications across 116 Iranian vessels. That earlier strike coincided with U.S. operations against Houthi rebels in Yemen.

This latest operation comes just as Washington broadened sanctions on Iranian oil, targeting 13 additional companies. Whether coincidence or coordination, the timing has not gone unnoticed.

Cyber Frontlines of Geopolitics

Security experts warn that incidents like this highlight the growing overlap between geopolitical conflict and cyberspace. Maritime shipping, energy, and critical infrastructure have become increasingly attractive targets for both state-sponsored hackers and ideologically driven activists.

“This is the kind of attack that ripples across industries,” said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. “When a communications backbone gets wiped, companies need to ask: how do you operate in a degraded state, and what redundancies are in place to keep business running until systems come back online?”

The fallout for Iran’s shipping industry may take months to repair — but the bigger lesson extends far beyond the Persian Gulf. As Ford emphasizes, organizations everywhere need to scrutinize not just their own defenses but also the security posture of their critical suppliers.

Because in today’s world, one weak link can sink an entire fleet.