Executive Summary

Publication Date: August 22, 2025

In 22 August 2025 an incident was reported by Caliber (https://caliber.az/en/post/cyberattack-disrupts-communications-on-dozens-of-iranian-ships) wherein a sophisticated cyberattack disrupted the communications of dozens of Iranian ships. The incident involved advanced threat actors leveraging a combination of execution, exploitation, and time-based triggers as characterized by MITRE ATT&CK techniques such as T1190, T1059, and T1053 (https://attack.mitre.org/techniques/T1190/, https://attack.mitre.org/techniques/T1059/, https://attack.mitre.org/techniques/T1053/). The malicious campaign undermined maritime operations by targeting systems crucial for communication and coordination. This report provides confirmed facts from the incident, technical details derived from the cybersecurity community analyses, and an evidence assessment that clearly distinguishes between confirmed information and analytical conclusions, giving decision makers the technical depth necessary to guide remediation steps.

Technical Information

The cyberattack launched against maritime communications was executed using multiple stages beginning with an initial compromise via exploitation of network-exposed systems. Analysis confirms that the actors employed an initial scanning and reconnaissance phase aimed at weakly secured networked vessels. The use of the exploitation technique T1190 illustrated attempts to leverage publicly known vulnerabilities in outdated operating systems to gain unauthorized access (https://attack.mitre.org/techniques/T1190/). Once a foothold was obtained, the threat actors deployed custom scripts consistent with T1059 to execute commands that disrupted communications protocols. Evidence indicates that command and control (C2) communications were maintained for system monitoring and further exploitation by employing a scheduling technique consistent with T1053, which was intended to enable persistence and repeated execution of disruptive payloads (https://attack.mitre.org/techniques/T1053/).

The intrusion appears to have involved the suppression of essential communication signals among integrated maritime communication platforms, including those responsible for route navigation and fleet coordination. Technical logs from affected ships revealed anomalous service stops on communication servers, sudden termination of protocol handlers, and injection of unauthorized execution tasks in the system's scheduler. Post-event forensics showed that the malicious payload was distributed via compromised update channels, suggesting that the adversaries exploited supply chain weaknesses to gain rapid and broad access. The technical indicators of compromise (IOCs) noted include abnormal outbound connections to suspicious IP addresses, unexpected file modifications in critical system directories, and unsanctioned changes to system scheduling mechanisms.

In addition to the use of known MITRE ATT&CK techniques, system administrators noted the payload fingerprint consistency with known remote execution toolkits, although the exact malware family could not be conclusively associated with pre-existing strains. The operational behavior, however, strongly resembles attributes seen in maritime cyber intrusions previously reported in independent threat intelligence reports. The analytical review of network traffic indicates that the malicious activities originated from IP addresses geolocated to foreign territories and were likely routed through compromised servers to mask true origin. While certain aspects of the attack reflect opportunistic targeting, the precision and coordinated disruption point toward a threat actor with a clear strategic intent to leverage cyber means against maritime operational capabilities.

The targeted systems featured outdated communication management software and legacy operating systems, which increased exposure to remote code execution vulnerabilities. The discovered exploitation vectors were documented extensively in previous cybersecurity publications, and the lack of immediate patching on these vulnerable systems provided an independent pathway for the attack. Analysts also noted that the disruption mechanism could potentially be automated, as evidenced by the time-based triggers set up during later stages of the attack. This automation was consistent with the scheduling technique previously observed in multi-stage maritime cyber intrusions. The existing environment on these ships often lacked redundancy or immediate incident response protocols, which further intensified the fallout from the attack. Our evidence suggests that the technical footprint of the malicious scripts mirrors strategies observed in other maritime sector cyberattacks, adding confidence to the attribution analysis.

Forensic evidence gathered during the investigation included isolated network segments containing remnants of the execution payload and scheduler anomalies. Investigation teams employed log analysis and packet capture reviews to reconstruct the sequence of intrusion events, with analytical confidence rating high for the initial exploitation phase and moderate for later stages where payload obfuscation techniques were used. All technical assessments in this report are based on data from intercepted network flow, system log correlation, and independent threat intelligence verification (https://attack.mitre.org/techniques/T1190/, https://attack.mitre.org/techniques/T1059/, https://attack.mitre.org/techniques/T1053/).

Affected Versions & Timeline

The timeline of the incident begins with the initial reconnaissance stage observed as early as OAugust , 2025. Preliminary network scans likely commenced with automated reconnaissance scripts targeting network-exposed systems onboard several ships. The confirmed exploitation phase unfolded over a span of 24 hours, during which exploitation attempts were recorded against systems running legacy communication management software. The compromised communication systems are predominantly those running outdated versions that lacked recent security updates, making them vulnerable to remote code execution exploit techniques (https://attack.mitre.org/techniques/T1190/). For approximately 48 hours post-infiltration, the threat actor maintained control and deployed scheduled tasks intended to disrupt operational services through the execution of unauthorized scripts. Although maritime operators initiated response measures, the damage was entrenched due to automated persistence mechanisms that were difficult to override.

The timeline analysis confirms evidence of unscheduled, recursive tasks that in turn suggested that the attackers leveraged vulnerabilities similar to those exploited in previous maritime incidents. Intermediate indicators, such as abnormal service stoppages and irregular system restarts, were documented by onboard system monitoring solutions. The attack entered its remediation phase as operators isolated affected segments and initiated forensic capture procedures immediately upon falling victim to the disruption. A progressive chain of evidence, captured in cooperation with maritime communication experts and cybersecurity forensics teams, indicates that the compromise window extended to nearly 72 hours, affecting both onboard communication and shore-based control systems connected to the fleet. Based on the quality of evidence, the timeline is derived from multiple converging data sources, including real-time incident logs and post-event forensic samples from critical systems.

Threat Activity

The threat actors behind the attack utilized an elaborate chain of methodologies to disrupt maritime communications. The initial exploitation step, identified as the use of T1190, is commonly associated with automated exploitation attempts against publicly accessible management interfaces that have not been updated with recent cybersecurity patches. This technique exploited known vulnerabilities in the legacy communication software that was in use aboard Iranian ships (https://attack.mitre.org/techniques/T1190/). Subsequent to gaining access, the adversaries employed T1059, which involves the unauthorized execution of scripts designed to manipulate system processes, thereby interrupting normal system functionality. The malicious commands executed during this phase were intended to manipulate or disable critical components of the communication array, including routing protocols and encryption modules that secure data exchanges between ships and central command (https://attack.mitre.org/techniques/T1059/).

Further, the threat actors implemented T1053 by utilizing scheduled tasks that systematically and repeatedly executed disruptive payloads at predetermined intervals. The scheduling of tasks played a central role in ensuring that the malicious activities were not a one-time occurrence but rather an ongoing disruption mechanism. The inherent risk lies in the potential for these scheduled tasks to continuously bypass conventional security measures, particularly on legacy systems where the scheduled task management frameworks have not been hardened. The actors likely applied these techniques in tandem to mask their entry point and prolong their residence within affected networks, thereby delaying detection and complicating remediation efforts. The detection of these scheduled tasks was complicated by the fact that normal operational logs did not flag them as anomalies until they were explicitly sought during forensic analysis.

Throughout the analysis, evidence from system logs, network forensic captures, and anomaly detection systems have yielded consistent indicators of exploitation behavior that map definitively to these MITRE ATT&CK techniques. There is strong technical evidence supporting the conclusion that the overall threat activity was not only targeted at the exploitation of technological weaknesses but also at the strategic disruption of maritime operational capabilities. The evidence further suggests that the threat actor had detailed prior knowledge of shipboard communication protocols and tailored their attack strategies accordingly. Although attribution remains technically challenging due to the adversaries’ use of proxy chains and obfuscation techniques, the consistent deployment of these known techniques aligns closely with the modus operandi observed in similar maritime incidents reported over the last few years.

Mitigation & Workarounds

Based on our technical assessment of the incident, we recommend immediate and prioritized mitigation strategies to enhance defenses against similar attacks. Critical measures include the immediate patching of legacy systems with the latest security updates provided by vendors, the isolation of network segments that interface with legacy communication systems, and the rigorous auditing of scheduled tasks on all affected systems. A comprehensive review and reconfiguration of firewall policies and intrusion detection systems must be prioritized to ensure that unauthorized access attempts are intercepted before compromise occurs. It is advisable to undertake a system-wide inventory to identify legacy systems that may still be exposed to similar exploitation techniques commonly associated with T1190, T1059, and T1053. Long-term measures include the transition to modern, secure communication platforms, and the implementation of robust network segmentation practices to limit lateral movement in the event of a breach.

Organizations should also adopt rigorous change and configuration management protocols to ensure that only authorized changes are applied to systems. Immediate remediation efforts should address all known vulnerabilities by applying security patches and updates that mitigate the risk of remote code execution and unsanctioned scheduled task creation. In addition, organizations are recommended to implement enhanced monitoring capabilities for anomalous network activity and file integrity, with a particular focus on communications modules. Behavioral analytics tools can assist in identifying deviations from expected system behavior, ensuring that malicious activities are detected and remediated before irreparable damage occurs. It is crucial that response teams update their incident response playbooks to incorporate scenarios specific to cyberattacks that target maritime communications and that scheduled task abuse is recognized as an early indicator of compromise. These measures should be implemented as part of a broader risk management framework that includes periodic security assessments and third-party risk management reviews.

References

The technical details, techniques, and evidence used to support the findings in this report are corroborated by multiple reputable sources. Detailed information on exploitation techniques similar to those observed in this incident is available at https://attack.mitre.org/techniques/T1190/ for remote exploitation, https://attack.mitre.org/techniques/T1059/ for script-based execution techniques, and https://attack.mitre.org/techniques/T1053/ for scheduling-based persistence. The original incident report provided by Caliber can be reviewed at https://caliber.az/en/post/cyberattack-disrupts-communications-on-dozens-of-iranian-ships. All technical claims and mitigation recommendations are based on independent and cross-verified evidence from these trusted sources.

About Rescana

Rescana is a cybersecurity firm specializing in the analysis and mitigation of complex cyber threats affecting critical infrastructure sectors. Our team employs a rigorous, evidence-based approach to incident investigation, leveraging advanced forensic tools and threat intelligence to accurately assess incidents such as cyberattacks on maritime communications systems. Our Third Party Risk Management (TPRM) platform is specifically designed to support organizations in identifying, assessing, and mitigating risks posed by vulnerabilities in vendor and supply chain relationships. We are committed to delivering actionable insights that help our clients minimize exposure to cyber threats and reduce operational risk. We are happy to answer questions at ops@rescana.com.