top of page

Subscribe to our newsletter

Cyber Attack on Iranian Shipping Lines: Impact on VSAT Systems and Maritime Operations

2 min read
Image for post about Incident Analysis Report: Disruption of Iranian Shipping Communications

Incident Analysis Report: Disruption of Iranian Shipping Communications

Date of Incident: March 18, 2025

Affected Entities: National Iranian Tanker Company (NITC) and Islamic Republic of Iran Shipping Lines (IRISL)


Executive Summary

On March 18, 2025, Lab Dookhtegan conducted a significant cyber attack on Iranian maritime operations, specifically targeting the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). This attack effectively disrupted the communication networks of 116 ships, severely hindering their operational capabilities. Restoration of the affected systems is anticipated to take several weeks (Iran International). Lab Dookhtegan's historical activities and their claim of responsibility suggest Medium confidence in their attribution (Cyber Shafarat).


Detailed Analysis

1. Attack Vector Analysis

Lab Dookhtegan's attack severed communication links between ships, ports, and external channels, critically affecting maritime operations. The use of vulnerabilities in VSAT satellite technology, crucial for offshore coordination, is a plausible vector in this sophisticated attack (Iran International).

2. Specific Malware and Tools Identified

No specific malware or tools were identified in the reports. However, given Lab Dookhtegan's history of sophisticated cyber activities, the use of advanced techniques exploiting VSAT vulnerabilities is highly likely (Iran International).

3. Historical Context of Threat Actor Activities

Lab Dookhtegan has been active for six years, targeting Iranian military and intelligence infrastructures, often in line with geopolitical tensions. Their actions aim to disrupt operations and impact regional power dynamics (Cyber Shafarat).

4. Sector-specific Targeting Patterns

The maritime sector, particularly entities involved in oil sales and supplying munitions to the Houthis, was specifically targeted. This strategy aligns with broader geopolitical objectives, coinciding with U.S. military operations against the Houthis (Iran International).

5. Technical Details of Attack Methods Mapped to the MITRE ATT&CK Framework

  • Technique T1078: Valid Accounts - Possible exploitation of existing credentials.
  • Technique T1569: System Services - Disruption of ship communication services.
  • Technique T1565: Data Manipulation - Potential severing of communication links.
  • Technique T1040: Network Sniffing - Possible interception to identify vulnerabilities (Iran International).

Impact Assessment

The disruption has significantly hindered the operational capabilities of NITC and IRISL, with expected long-term impacts on Iran's maritime logistics and regional influence.


Recommendations

  1. Critical: Immediate review and patching of VSAT systems to mitigate known vulnerabilities.
  2. High: Enhance monitoring and anomaly detection capabilities to identify unauthorized access attempts.
  3. Medium: Conduct a thorough audit of existing credentials and implement multi-factor authentication.
  4. Low: Increase cybersecurity awareness and training for maritime operation personnel.


 
bottom of page