SATCOM Under Fire: The Lab Dookhtegan Attack on Iranian Fleets

Hacktivists take aim at maritime VSAT — a wake-up call for global SATCOM security

Sep 06, 2025

Attacks on satellite communications (SATCOM) are once again making headlines. Lab Dookhtegan, a self-proclaimed hacktivist group, carried out a destructive operation against SATCOM terminals on Iranian vessels. At least 39 tankers of the National Iranian Tanker Company (NITC) and 25 cargo ships of the Islamic Republic of Iran Shipping Line (IRISL) were affected.

A recurring scenario

Just five months earlier, the same group targeted 119 Iranian tankers. The method remained consistent:

compromise of the Iranian Fanava VSAT provider,
lateral movement into onboard VSAT equipment,
wiping iDirect modems, forcing manual reinstallation and prolonged downtime.

Why it works

Targeting SATCOM providers is effective because they represent a weak link in global infrastructure:

large and heterogeneous networks,
outdated security controls and limited segmentation,
many systems directly exposed to the internet.

A single breach can cascade into widespread disruption. The Russian attack on Viasat in February 2022, which disabled thousands of terminals in Europe on the day of the Ukraine invasion, remains the most visible proof.

Long-standing vulnerabilities

SATCOM insecurity is not new:

2014 — BlackHat research exposed critical flaws across aviation, maritime, and industrial SATCOM.
2018 — follow-up showed entire fleets could be compromised via VSAT providers.
even commodity malware like Mirai infected exposed antenna control units.

Despite growing awareness, the Iranian fleet case shows that systemic weaknesses remain.

Political dimension

This attack is not purely technical. Both NITC and IRISL are under international sanctions linked to Iran’s nuclear program. That makes the operation inherently geopolitical, blurring the line between hacktivism and state-aligned cyber activity.

The parallels are clear with the U.S. cyber operation in February 2024, which disabled communications on an Iranian intelligence vessel during the Houthi crisis. The principle was the same: disabling communications at sea is a powerful lever in regional conflicts.

Conclusions

The Lab Dookhtegan operation highlights a critical truth: SATCOM is still a fragile cornerstone of global infrastructure.

Disrupting a provider or modem fleet can paralyze entire sectors.
Maritime operators remain especially exposed, relying on equipment never designed for today’s threat landscape.
The line between cyber activism and statecraft continues to blur.

Today, sanctioned Iranian fleets were the target. Tomorrow it could be commercial shipping, aviation, or energy operators anywhere in the world. SATCOM is global by design — and so are its vulnerabilities. Unless providers invest in segmentation, monitoring, firmware hardening, and regular testing, SATCOM will remain an exploitable weak link in the global supply chain.

Thanks for reading! This post is public so feel free to share it.

📖 Publication: The Sign, republished with permission from the editorial team.

🔗 This story complements our publication:

Cybersecurity of Satellite Systems

SkyLinker

Aug 27

Satellite infrastructure has become a key target of cyberwarfare. Between 2022 and 2025, dozens of confirmed cyber incidents have demonstrated the growing vulnerability of both commercial and government space assets. These include ransomware attacks on satellite operators, targeted data theft from space contractors, and the emergence of malware specific…

Read full story