Article Details

Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware. An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future strategic advantage," the FortiGuard Incident Response (FGIR) team said in a report. The network security company noted that the attack exhibits tradecraft overlaps with a known Iranian nation-state threat actor called Lemon Sandstorm (formerly Rubidium), which is also tracked as Parisite, Pioneer Kitten, and UNC757. It's been assessed to be active since at least 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East, Europe, and Australia. According to industrial cybersecurity company Dragos, the adversary has leveraged known virtual private network (VPN) security flaws in Fortinet, Pulse Secure, and Palo Alto Networks to obtain initial access. Last year, U.S. cybersecurity and intelligence agencies pointed fingers at Lemon Sandstorm for deploying ransomware against entities in the U.S., Israel, Azerbaijan, and the United Arab Emirates. The attack analyzed by Fortinet against the CNI entity unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim enacted countermeasures - It's worth noting that both Havoc and MeshCentral are open-source tools that function as a command-and-control (C2) framework and remote monitoring and management (RMM) software, respectively. On the other hand, SystemBC refers to a commodity malware that often acts as a precursor to ransomware deployment. A brief description of the custom malware families used in the attack is below - The links to Lemon Sandstorm come from C2 infrastructure – apps.gist.githubapp[.]net and gupdate[.]net – previously flagged as associated with the threat actor's operations conducted over the same period. Fortinet said the victim's restricted Operational Technology (OT) network was a key target of the attack based on the threat actor's extensive reconnaissance activity and their breach of a network segment hosting OT-adjacent systems. That said, there is no evidence that the adversary penetrated the OT network. A majority of the malicious activity has been assessed to be hands-on keyboard operations carried out by different individuals, given the command errors and the consistent work schedule. Furthermore, a deeper examination of the incident has revealed that the threat actor may have had access to the network as early as 15 May 2021. "Throughout the intrusion, the attacker leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment," the company said. "In later stages, they consistently chained four different proxy tools to access internal network segments, demonstrating a sophisticated approach to maintaining persistence and avoiding detection."