An Iranian state-sponsored threat group has been linked to a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, a campaign that lasted from May 2023 to February 2025. The cyberattack involved extensive espionage and suspected prepositioning of networks, enabling the group to maintain persistent access for future operations, according to a report by FortiGuard Incident Response (FGIR).
The activity shows signs of being carried out by the Iranian threat group Lemon Sandstorm, also known as Rubidium, Parisite, Pioneer Kitten, and UNC757, which has been active since at least 2017. This group has targeted sectors including aerospace, oil and gas, water, and electricity across regions such as the U.S., the Middle East, Europe, and Australia. Previously, the group was connected to ransomware deployments against U.S. and Israeli entities, and it has exploited VPN security flaws in Fortinet, Pulse Secure, and Palo Alto Networks for initial access.
The Phases of the Attacks
Fortinet’s analysis revealed that the attack unfolded in four distinct phases:
- May 2023 – April 2024: The attacker established a foothold in the victim’s network, using stolen credentials to access SSL VPN systems, deploy web shells, and install backdoors like Havoc, HanifNet, and HXLibrary to maintain long-term access.
- April 2024 – November 2024: The group consolidated its access by planting more web shells and another backdoor, NeoExpressRAT, utilizing tools like plink and Ngrok for deeper network infiltration. They performed targeted exfiltration of victim emails and moved laterally to the virtualization infrastructure.
- November 2024 – December 2024: In response to containment efforts by the victim, the group deployed additional web shells and backdoors, including MeshCentral Agent and SystemBC.
- December 2024 – Present: The group attempted to infiltrate the network once again by exploiting Biotime vulnerabilities and using spear-phishing attacks to harvest Microsoft 365 credentials.
The cyberattack used a variety of tools, both custom and open-source, such as Havoc, a command-and-control (C2) framework; MeshCentral, a remote management software; and SystemBC, a commodity malware often used in ransomware attacks. Other tools employed include HanifNet, HXLibrary, NeoExpressRAT, and CredInterceptor, a DLL-based tool for harvesting credentials from Windows Local Security Authority Subsystem Service (LSASS) memory.
Fortinet noted that although the attacker targeted the victim’s Operational Technology (OT) network segment, no evidence suggests that the OT network itself was breached. The attack appears to have been carried out by multiple individuals, with evidence pointing to hands-on operations and consistent work patterns, suggesting a highly coordinated effort.
The attacker employed chained proxies and custom implants to bypass network segmentation and move laterally within the network. This allowed them to maintain access for an extended period, and Fortinet’s analysis indicates that the group may have first accessed the victim’s network as early as May 2021.
