The unwitting fleet
Thousands of commercial and private vessels transit the world’s oceans daily, broadcasting positional data, transmitting communications through exploitable unencrypted satellite communications, and connecting to shoreside networks with minimal security. Adversaries do not need to build dedicated collection strategies when the commercial fleet functions as a distributed sensor network accessible to anyone with the technical capability and intent.
The concept is not new. During the Cold War, the Soviet Union equipped commercial fishing trawlers with SIGINT and ELINT equipment, stationing them off U.S. naval bases to photograph and report the arrival and departure of warships. These vessels – unremarkable in appearance and operating under legitimate commercial cover – functioned as auxiliary intelligence platforms. Today, the same logic applies at scale, except the commercial fleet no longer requires modification. The collection infrastructure is already installed.
In March 2025, a coordinated cyberattack disabled satellite communications across 116 vessels belonging to Iran’s state-owned shipping fleet. Ship-to-shore links failed. Automatic Identification System (AIS) tracking went dark. Voice communications were compromised. The attackers – a group known as Lab Dookhtegan – had not targeted vessels individually. Instead, they compromised Fanava Group, an Iranian satellite and IT provider, gaining root-level access to the Linux systems running VSAT terminals across the National Iranian Tanker Company (NITC) and Islamic Republic of Iran Shipping Lines (IRISL) fleets simultaneously. One provider, 116 vessels targeted, communications severed.
Read more at Center for International Maritime Security