Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

The unwitting fleet

Iranian Navy exercise from 2011 (Mohammad Sadegh Heydari, Wikimedia Commons)

By Eva Prokofiev

Thousands of commercial and private vessels transit the world’s oceans daily, broadcasting positional data, transmitting communications through exploitable unencrypted satellite communications, and connecting to shoreside networks with minimal security. Adversaries do not need to build dedicated collection strategies when the commercial fleet functions as a distributed sensor network accessible to anyone with the technical capability and intent.

The concept is not new. During the Cold War, the Soviet Union equipped commercial fishing trawlers with SIGINT and ELINT equipment, stationing them off U.S. naval bases to photograph and report the arrival and departure of warships. These vessels – unremarkable in appearance and operating under legitimate commercial cover – functioned as auxiliary intelligence platforms. Today, the same logic applies at scale, except the commercial fleet no longer requires modification. The collection infrastructure is already installed.

In March 2025, a coordinated cyberattack disabled satellite communications across 116 vessels belonging to Iran’s state-owned shipping fleet. Ship-to-shore links failed. Automatic Identification System (AIS) tracking went dark. Voice communications were compromised. The attackers – a group known as Lab Dookhtegan – had not targeted vessels individually. Instead, they compromised Fanava Group, an Iranian satellite and IT provider, gaining root-level access to the Linux systems running VSAT terminals across the National Iranian Tanker Company (NITC) and Islamic Republic of Iran Shipping Lines (IRISL) fleets simultaneously. One provider, 116 vessels targeted, communications severed.

Read more at Center for International Maritime Security

Click to listen highlighted text!