Iranian Hackers Attacking Critical Infrastructure

Uploaded on 2025-05-08 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, INTELLIGENCE--International, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

An Iranian state-sponsored hacking group has been accused of cyber intrusion aimed at Critical National Infrastructure (CNI) across the a Middle Eastern for over the last two years.

These attacks involved "extensive espionage operations and suspected network prepositioning, a tactic often used to maintain persistent access for future strategic advantage," according the Incident Response team at FortiGuard 

The campaign has persisted from at least May 2023 to February 2025, with some signs of compromise dating as far back as May 2021. 

Attackers initially gained access via stolen VPN credentials and established persistence through multiple web shells and backdoors, including Havoc, HanifNet, HXLibrary, and NeoExpressRAT. They bypassed network segmentation using open-source proxying tools like plink, Ngrok, glider proxy, and ReverseSocks5.

The FortiGuard investigation has produced evidence of a highly sophisticated program of attack, aimed at causing maximum disruption:-

  • The attack unfolded in waves, with the adversary deploying new malware and infrastructure over time. They used custom loaders to execute Havoc and SystemBC in memory.
  •  In addition to publicly available tools, the adversary deployed novel backdoors such as HanifNet, HXLibrary, and NeoExpressRAT, enabling command execution, file operations, and system discovery.
  • The adversary avoided US-based infrastructure, instead relying on non-U.S. VPS providers.
  • Persistence was maintained through scheduled tasks designed to blend in with legitimate Windows processes.
  • Virtualization infrastructure was actively targeted, with the adversary conducting reconnaissance to understand network configurations.
  • After containment efforts, the adversary attempted to regain access by exploiting ZKTeco ZKBioTime software vulnerabilities, which had not been previously reported in the wild. They also launched targeted phishing attacks, using compromised third-party emails to steal administrator credentials.

Fortinet researchers noted that the attack have common characteristics with a known Iranian nation-state threat actor called Lemon Sandstorm, which is also known as Parisite, Pioneer Kitten and UNC757. Evidence suggests that this group has been active since at 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East and Europe. 

According to industrial cyber security company Dragos, the hackers used known virtual private network (VPN) security flaws in Fortinet, Pulse Secure, and Palo Alto Networks to obtain initial access. 

In particular, Dragos has identified that the Parisite threat group, operating at least since 2017, is targeting industrial organisations, including those in the oil and gas, water, electric, and gas sectors. These vulnerabilities are being used for initial access to networks and are a key part of the threat group's modus operandi.

The attack analysed by Fortinet against unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim implemented several countermeasures:- 

  • 15 May, 2023 – 29 April, 2024 - Establishing a foothold by using stolen login credentials to access the victim's SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access.
  • 30 April, 2024 – 22 November, 2024 - Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualisation infrastructure.
  • 23 November, 2024 – 13 December, 2024 - Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim.
  • 14 December, 2024 – Present - Attempts to infiltrate the network continue by exploiting known  vulnerabilities and spear-phishing attacks aimed at targeted  employees to steal Microsoft 365 credentials.

Other custom malware families and open-source tools used in the attack included:

  • HanifNet - An unsigned .NET executable that can retrieve and execute commands from a C2 server (First deployed in August 2023).
  • HXLibrary - A malicious IIS module written in .NET that's designed to retrieve three identical text files hosted on Google Docs to fetch the C2 server and send web requests to it (First deployed in October 2023).
  • CredInterceptor - A DLL-based tool that can harvest credentials from the Windows Local Security Authority Subsystem Service process memory.
  • RemoteInjector - A loader component that's used to execute the next-stage payload like Havoc (First deployed in April 2024).
  • RecShell - A web shell used for initial reconnaissance (First deployed in April 2024.
  • NeoExpressRAT - A backdoor that retrieves a configuration from the C2 server and likely uses Discord for follow-on communications (First deployed in August 2024).
  • DropShell - A web shell with basic file upload capabilities (First deployed in November 2024).
  • DarkLoadLibrary - An open-souce loader that's used to launch SystemBC (First deployed in December 2024).

Fortinet said the victim's restricted Operational Technology (OT) network was a key target of the attack based on the threat actor's extensive reconnaissance activity and their breach of a network segment hosting OT-adjacent systems. That said, there is no evidence that the adversary penetrated the OT network.A majority of the malicious activity has been assessed to be hands-on keyboard operations carried out by different individuals, given the command errors and the consistent work schedule.

Furthermore, a deeper examination of the incident has revealed that the threat actor may have had access to the network as early as 15 May 2021."Throughout the intrusion, the attacker leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment," Fortinet said. 

"In later stages, they consistently chained four different proxy tools to access internal network segments, demonstrating a sophisticated approach to maintaining persistence and avoiding detection." Fortinet conclude.

Fortinet   |   CISA   |   Dragos   |    Hacker News   |   Hacker News  |   Broadcom  

Image: Ideogram

You Might Also Read:

Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 






 

« The Seven Pillars Of MLops
Anti-Ransomware Day 2025 »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Outpost24

Outpost24

Outpost24 provides easy to deploy and intuitive solutions to continuously identify, remediate and mitigate vulnerabilities in your network.

Code42

Code42

Code42 CrashPlan, is an enterprise SaaS solution that backs up all distributed end-user data on a single, secure platform.

Crossmatch

Crossmatch

Crossmatch is a world leader in risk-based composite authentication and biometric identity management.

Forter

Forter

Forter provides new generation fraud prevention to meet the challenges faced by modern enterprise e-commerce.

CHT Security

CHT Security

CHT Security is a Managed Security Service Provider (MSSP) specialized in cyber security technologies enabling enterprises to defense against cyber threats to networks, gateways and endpoints.

Findcourses.com

Findcourses.com

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

boxxe

boxxe

boxxe create flexible IT infrastructures, collaborative global workspaces and data clarity, all underpinned by world-leading security.

SAM Seamless Network

SAM Seamless Network

SAM Seamless Network is a cybersecurity technology platform that protects the connected home, by tackling cyber security threats at the source.

Sunartek Labs

Sunartek Labs

Sunartek are equipped with expert resources and advanced technology to identify cyber threats and prevent any breach, bypassing the security network of your organization.

Cognilytica

Cognilytica

Cognilytica’s Cognitive Project Management for AI (CPMAI) training and certification is recognized around the world as the best practices methodology for implementing successful AI & ML projects.

Castlepoint Systems

Castlepoint Systems

Castlepoint Systems is a pioneer in information governance, risk and compliance as a service. An all-in-one solution offering powerful risk management, built in compliance, cybersecurity and audit.

RB42

RB42

RB42 (formerly Nexa Technologies) provide cyber defense solutions and cyber defense consultancy service.

Aprio

Aprio

Aprio is a premier business advisory and accounting firm. We deliver advisory, tax, managed, and private client services to build value, drive growth, manage risk, and protect wealth.

DefensX

DefensX

DefensX turns your go-to browser into a secure digital workspace paired with robust Web Data Loss Protection and AI Data Protection.

Repello AI

Repello AI

Repello - making AI safe to trust. We help you continuously red-team your GenAI applications against ever-evolving AI threat landscape.