A state-sponsored Iranian hacking group has been linked to a prolonged cyber intrusion targeting critical national infrastructure (CNI) in the Middle East. This breach, which persisted for nearly two years, lasted from May 2023 to February 2025, involving extensive espionage and suspected network prepositioning, a tactic used to ensure long-term access for strategic gains, according to FortiGuard Incident Response (FGIR).
This attack shares overlapping tradecraft with the notorious Iranian threat group Lemon Sandstorm (previously known as Rubidium, Parisite, Pioneer Kitten, and UNC757), which has been active since at least 2017. Lemon Sandstorm has previously targeted various sectors, including aerospace, oil, gas, water, and energy industries across the U.S., Middle East, Europe, and Australia. Notably, the group exploited VPN security flaws in widely used platforms like Fortinet, Pulse Secure, and Palo Alto Networks to gain initial access.
Stages of the Attack
Fortinet's investigation into the attack against the CNI entity uncovered a series of systematic phases:
- May 15, 2023 – April 29, 2024: The attackers established a foothold by leveraging stolen login credentials to access the victim’s SSL VPN system. They deployed web shells on public-facing servers and installed three backdoors—Havoc, HanifNet, and HXLibrary—for long-term access.
- April 30, 2024 – November 22, 2024: The attackers consolidated their access by adding more web shells and the NeoExpressRAT backdoor. Tools like plink and Ngrok were used to penetrate deeper into the network, exfiltrating sensitive data, including victim emails, and moving laterally into the virtualization infrastructure.
- November 23, 2024 – December 13, 2024: Following containment measures by the victim, the attackers deployed additional backdoors and web shells, including MeshCentral Agent and SystemBC, to re-establish access.
- December 14, 2024 – Present: The group attempted a second infiltration, exploiting vulnerabilities in Biotime software (CVE-2023-38950, CVE-2023-38951, CVE-2023-38952) and launching spear-phishing campaigns targeting 11 employees to harvest Microsoft 365 credentials.
Custom Malware and Tools Used in the Attack
The Iranian hackers deployed a range of custom and open-source malware to maintain their foothold:
- Havoc: A command-and-control (C2) framework used for remote monitoring.
- HanifNet: A .NET executable that facilitates communication with C2 servers.
- HXLibrary: A malicious IIS module designed to send web requests to the C2 server.
- NeoExpressRAT: A backdoor for retrieving configurations from the C2 server, possibly using Discord for communications.
- SystemBC: A commodity malware often associated with ransomware deployment.
- MeshCentral Agent: A tool for remote management used to maintain persistence.
- CredInterceptor: A DLL-based tool designed to harvest credentials from Windows memory.
- RemoteInjector: A loader used to execute subsequent payloads.
Notably, MeshCentral and Havoc are open-source tools often used in state-sponsored cyber campaigns. Meanwhile, SystemBC is commonly linked to ransomware operations.
Tactical Approach and Persistence
Fortinet’s analysis reveals that the Iranian hackers exhibited a sophisticated approach to maintaining persistent access throughout the attack. They used chained proxies and custom implants to bypass network segmentation and move laterally within the victim’s environment. This level of complexity and persistence demonstrates the group’s advanced capabilities.
Despite extensive reconnaissance and the breach of systems adjacent to the operational technology (OT) network, there is no evidence suggesting that the attackers penetrated the OT network itself.
Implications for CNI and Future Threats
This attack underscores the growing sophistication of nation-state cyber actors targeting critical infrastructure globally. As cyberattacks increasingly leverage known vulnerabilities and exploit advanced tactics, organizations must strengthen their security posture to prevent such incursions. This includes updating VPN infrastructure, monitoring for suspicious lateral movement, and deploying enhanced detection tools.
As cybersecurity threats continue to evolve, leveraging advanced network monitoring, threat intelligence, and rapid incident response measures will be essential in defending against such persistent and evolving attacks.