A hacker group said it disabled communications on more than 60 Iranian oil tankers and cargo ships, severing links between the vessels, their ports, and the outside world in one of the largest cyberattacks on the country’s maritime sector.
The group, known as Lab-Dookhtegan (Sewn Lips), told Iran International that it hacked into the systems of the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL), disrupting operations on 39 tankers and 25 cargo ships.
The hackers said the breach was carried out by infiltrating Fanava Group, an Iranian IT and telecoms holding company that provides satellite communications, data storage, and payment systems.
They said they obtained “root-level” access to the Linux operating systems running the ships’ satellite terminals, enabling them to stop Falcon, the control software at the heart of Iran’s maritime communications.
Stopping Falcon means complete disconnection between the ships and shore, the group said, adding that the hack rendered automatic identification system (AIS) tracking and satellite links inoperable.
NITC and IRISL targeted
The two state-linked companies are central to Iran’s sanctioned economy.
NITC, a subsidiary of the National Iranian Oil Company, is one of the Middle East’s largest tanker fleets with more than 46 vessels and a total annual capacity of 11 million tons. Its tankers, such as the Amber, Apama, Deep Sea, Fortune and Faxon, transport Iranian crude globally, often switching off tracking systems to evade sanctions.
IRISL, with a fleet of about 115 vessels, is Iran’s largest cargo operator and ranked the world’s 14th biggest shipping line by Alphaliner in 2022. Its ships, including Abyan, Avang, Parisan, Radin and Touska, have been sanctioned by the US, EU and UN for their role in supporting Iran’s nuclear and missile programs.
Both companies were sanctioned by the US Treasury in 2020 for aiding the Islamic Revolutionary Guard Corps’ Quds Force, the extraterrestrial wing of the IRGC.
This is not the first time Iranian shipping has been targeted. In March 2025, Lab-Dookhtegansaid it disrupted the communications of 116 vessels belonging to the same two firms. At the time, the group claimed the attack was timed to coincide with US operations against Iran-backed Houthis in Yemen.
US and European sanctions have already limited Iran’s access to advanced maritime technology, insurance, and international ports, leaving the fleets more exposed to cyber and physical threats.
Fanava Group, founded in 2003 and headquartered in Tehran, has yet to respond to requests for comment.
The cyberattack comes as Iran faces growing scrutiny of its shipping and oil-export networks. Western governments accuse Tehran of using its maritime fleet to mask oil sales to China and others, while also supplying weapons to proxy groups including Hezbollah and Yemen’s Houthis.
In the latest effort to stop Tehran's oil exports, the US sanctioned 13 companies and eight vessels over suspected ties to Iran, the Treasury Department said on Thursday.
