An Iranian state-sponsored hacking group has been blamed for a long cyberattack on important national infrastructure in the Middle East. This attack lasted almost two years, from May 2023 to February 2025.
According to a report by FortiGuard Incident Response (FGIR), the hackers were spying and preparing the network for possible future attacks. This kind of long-term access can give them a big advantage in the future.
The company said the hackers used similar methods to another well-known Iranian group called Lemon Sandstrom also known as Rubidium, Parisite, Pioneer Kitten, and UNC757.
The group has been active since at least 2017, targeting industries like aerospace, oil and gas, water, and electricity in places like the U.S., Middle East, Europe, and Australia. The cybersecurity company Dragos says the group got into computer systems by taking advantage of known security weaknesses in VPNs made by Fortinet, Pulse Secure, and Palo Alto Networks.
Last year, U.S. cybersecurity and intelligence agencies said that a group called Lemon Sandstrom used ransomware to attack organizations in the U.S., Israel, Azerbaijan, and the United Arab Emirates.
Fortinet analyzed an attack on a critical infrastructure (CNI) organization that happened in four stages, starting in May 2023. Here’s a simpler breakdown:
May 15, 2023-April 29, 2024: the attackers broke in using stolen login details for the company’s VPN. They installed secret tools called web shells on public servers and placed three backdoors (Havoc, HanifNet, and HXLibrary) to keep long-term access.
April 30-November 22, 2024: they strengthened their access by adding more web shells and another backdoor (NeoExpressRAT). They used tools like Plink and Ngrok to dig deeper into systems, steal emails, and move through the network to reach virtual machines.
November 23-December 13, 2024: after the company tried to block them, the attackers pushed back by installing more web shells and two new backdoors (Meshcentral Agent and SystemBC).
December 14, 2024-Now: after being kicked out, the attackers tried to break in again using known security flaws in Biotime Software and sent fake emails (spread phishing) to 11 employees to steal their Microsoft 365 login info.
It’s important to know that both Havoc and MeshCentral are free tools available to anyone. Havoc is used to remotely manage computers. SystemBC is a common type of harmful software often used before launching a ransomware attack.
Here’s a brief description of the custom malware and tools used in the attack:
HanifNet: first deployed in August 2023, a program that receives and runs commands from the attackers’ control server.
HXLibrary: first deployed in October 2023, a hidden tool added a web server that reads three text files on Google Docs to find and talk to the attackers’ server.
CredInterceptro: first deployed in November 2023, a tool that steals usernames and passwords from the memory of a windows security system.
RemoteInjector: first deployed in April 2024, a tool that helps run the next harmful program, like Havoc.
RecShell: first deployed in April 2024, a basic tool placed on the server to explore the network at the beginning of the attack.
NeoExpressRAT: first deployed in August 2024, a hidden access tool that talks to a control server and may use Discord to send or receive info.
DropShell: first deployed in November 2024, a simple tool that lets attackers upload files to the infected system.
DarkLoadLibrary: first deployed in December 2024, a free tool used to start the SystemBC malware.
Lemon Sandstrom has been linked to this attack because the control servers they used-apps.gist.githubapp[.]net and gupdate[.]net were also seen in their past activities during the same time period.
Fortinet said the attackers were mainly focused on the company’s Operational Technology (OT) network, which controls physical systems like machines or equipment. The hackers spent a lot of time studying the network and even got into a part that was close to the OT systems. However, there’s no proof they actually got into the OT network itself.
Most of the hacking was done manually by different people, based on mistakes in the commands and a regular work schedule. A closer look shows the attackers might have first gotten into the network as early as May 15, 2021.
Fortinet said the attackers used a series of linked proxy tools and custom-made malware to sneak past network barriers and move through different parts of the system. In the later stages, they regularly used four proxy tools on a chain to reach deeper into the network, showing they were skilled at staying hidden and keeping access for a long time.
