Iranian Hackers Attacking Critical Infrastructure

Uploaded on 2025-05-08 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, INTELLIGENCE--International, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

An Iranian state-sponsored hacking group has been accused of cyber intrusion aimed at Critical National Infrastructure (CNI) across the a Middle Eastern for over the last two years.

These attacks involved "extensive espionage operations and suspected network prepositioning, a tactic often used to maintain persistent access for future strategic advantage," according the Incident Response team at FortiGuard 

The campaign has persisted from at least May 2023 to February 2025, with some signs of compromise dating as far back as May 2021. 

Attackers initially gained access via stolen VPN credentials and established persistence through multiple web shells and backdoors, including Havoc, HanifNet, HXLibrary, and NeoExpressRAT. They bypassed network segmentation using open-source proxying tools like plink, Ngrok, glider proxy, and ReverseSocks5.

The FortiGuard investigation has produced evidence of a highly sophisticated program of attack, aimed at causing maximum disruption:-

  • The attack unfolded in waves, with the adversary deploying new malware and infrastructure over time. They used custom loaders to execute Havoc and SystemBC in memory.
  •  In addition to publicly available tools, the adversary deployed novel backdoors such as HanifNet, HXLibrary, and NeoExpressRAT, enabling command execution, file operations, and system discovery.
  • The adversary avoided US-based infrastructure, instead relying on non-U.S. VPS providers.
  • Persistence was maintained through scheduled tasks designed to blend in with legitimate Windows processes.
  • Virtualization infrastructure was actively targeted, with the adversary conducting reconnaissance to understand network configurations.
  • After containment efforts, the adversary attempted to regain access by exploiting ZKTeco ZKBioTime software vulnerabilities, which had not been previously reported in the wild. They also launched targeted phishing attacks, using compromised third-party emails to steal administrator credentials.

Fortinet researchers noted that the attack have common characteristics with a known Iranian nation-state threat actor called Lemon Sandstorm, which is also known as Parisite, Pioneer Kitten and UNC757. Evidence suggests that this group has been active since at 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East and Europe. 

According to industrial cyber security company Dragos, the hackers used known virtual private network (VPN) security flaws in Fortinet, Pulse Secure, and Palo Alto Networks to obtain initial access. 

In particular, Dragos has identified that the Parisite threat group, operating at least since 2017, is targeting industrial organisations, including those in the oil and gas, water, electric, and gas sectors. These vulnerabilities are being used for initial access to networks and are a key part of the threat group's modus operandi.

The attack analysed by Fortinet against unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim implemented several countermeasures:- 

  • 15 May, 2023 – 29 April, 2024 - Establishing a foothold by using stolen login credentials to access the victim's SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access.
  • 30 April, 2024 – 22 November, 2024 - Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualisation infrastructure.
  • 23 November, 2024 – 13 December, 2024 - Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim.
  • 14 December, 2024 – Present - Attempts to infiltrate the network continue by exploiting known  vulnerabilities and spear-phishing attacks aimed at targeted  employees to steal Microsoft 365 credentials.

Other custom malware families and open-source tools used in the attack included:

  • HanifNet - An unsigned .NET executable that can retrieve and execute commands from a C2 server (First deployed in August 2023).
  • HXLibrary - A malicious IIS module written in .NET that's designed to retrieve three identical text files hosted on Google Docs to fetch the C2 server and send web requests to it (First deployed in October 2023).
  • CredInterceptor - A DLL-based tool that can harvest credentials from the Windows Local Security Authority Subsystem Service process memory.
  • RemoteInjector - A loader component that's used to execute the next-stage payload like Havoc (First deployed in April 2024).
  • RecShell - A web shell used for initial reconnaissance (First deployed in April 2024.
  • NeoExpressRAT - A backdoor that retrieves a configuration from the C2 server and likely uses Discord for follow-on communications (First deployed in August 2024).
  • DropShell - A web shell with basic file upload capabilities (First deployed in November 2024).
  • DarkLoadLibrary - An open-souce loader that's used to launch SystemBC (First deployed in December 2024).

Fortinet said the victim's restricted Operational Technology (OT) network was a key target of the attack based on the threat actor's extensive reconnaissance activity and their breach of a network segment hosting OT-adjacent systems. That said, there is no evidence that the adversary penetrated the OT network.A majority of the malicious activity has been assessed to be hands-on keyboard operations carried out by different individuals, given the command errors and the consistent work schedule.

Furthermore, a deeper examination of the incident has revealed that the threat actor may have had access to the network as early as 15 May 2021."Throughout the intrusion, the attacker leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment," Fortinet said. 

"In later stages, they consistently chained four different proxy tools to access internal network segments, demonstrating a sophisticated approach to maintaining persistence and avoiding detection." Fortinet conclude.

Fortinet   |   CISA   |   Dragos   |    Hacker News   |   Hacker News  |   Broadcom  

Image: Ideogram

You Might Also Read:

Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 






 

« The Seven Pillars Of MLops
Anti-Ransomware Day 2025 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Virus Bulletin

Virus Bulletin

Virus Bulletin is an online security information portal and certification body, providing users with independent intelligence about the latest developments in the global threat landscape.

BSA - The Software Alliance

BSA - The Software Alliance

BSA is the leading advocate for the global software industry before governments and in the international marketplace.

AGAT Software

AGAT Software

AGAT Software is an innovative security provider specializing in external access authentication and data protection solutions.

Baffle

Baffle

Baffle is pioneering a solution that makes data breaches irrelevant by keeping data encrypted from production through processing.

Cyanre

Cyanre

Cyanre delivers state of the art cyber forensic services through software technologies and procedures that exceed conformities of major law enforcement agencies across the globe.

Cellopoint

Cellopoint

Cellopoint is a leading manufacturer of information security and email lifecycle management (ELM) products.

ST Engineering

ST Engineering

ST Engineering is a leading provider of trusted and innovative cybersecurity solutions.

SurePassID

SurePassID

SurePassID is a provider of highly secure, highly extensible multi-factor authentication (MFA) solutions.

VirtualArmour

VirtualArmour

VirtualArmour is a managed security services provider with global reach and local attitude.

Futurae Technologies

Futurae Technologies

Futurae - enabling trust and invisible security for your users on all devices and applications. Strong customer authentication (SCA) made easy.

Cyrebro

Cyrebro

CYREBRO is your online cybersecurity central command managed SOC that integrates all your security events with strategic monitoring, proactive threat intelligence, and rapid incident response.

SyberFort

SyberFort

SyberFort offers a suite of SAAS-based platforms designed to fortify your digital defenses including Threat Intelligence and Brand Protection.

Edera

Edera

Edera is changing the way containers are run and secured, making isolation a reality and fundamentally transforming computing in the process.

Silicon Valley Cybersecurity Institute (SVCSI)

Silicon Valley Cybersecurity Institute (SVCSI)

SVCSI aims to investigate, develop, and promote technical excellence and the best security practices for dependable and secure systems and applications.

OryxAlign

OryxAlign

OryxAlign offer managed IT and cyber security, cloud and digital transformation, and tailored professional and consulting services.

MineOS

MineOS

MineOS aligns compliance with business growth. We designed our platform so that privacy compliance efforts directly benefit other teams and initiatives.