Iranian Hackers Attacking Critical Infrastructure
An Iranian state-sponsored hacking group has been accused of cyber intrusion aimed at Critical National Infrastructure (CNI) across the a Middle Eastern for over the last two years.
These attacks involved "extensive espionage operations and suspected network prepositioning, a tactic often used to maintain persistent access for future strategic advantage," according the Incident Response team at FortiGuard
The campaign has persisted from at least May 2023 to February 2025, with some signs of compromise dating as far back as May 2021.
Attackers initially gained access via stolen VPN credentials and established persistence through multiple web shells and backdoors, including Havoc, HanifNet, HXLibrary, and NeoExpressRAT. They bypassed network segmentation using open-source proxying tools like plink, Ngrok, glider proxy, and ReverseSocks5.
The FortiGuard investigation has produced evidence of a highly sophisticated program of attack, aimed at causing maximum disruption:-
- The attack unfolded in waves, with the adversary deploying new malware and infrastructure over time. They used custom loaders to execute Havoc and SystemBC in memory.
- In addition to publicly available tools, the adversary deployed novel backdoors such as HanifNet, HXLibrary, and NeoExpressRAT, enabling command execution, file operations, and system discovery.
- The adversary avoided US-based infrastructure, instead relying on non-U.S. VPS providers.
- Persistence was maintained through scheduled tasks designed to blend in with legitimate Windows processes.
- Virtualization infrastructure was actively targeted, with the adversary conducting reconnaissance to understand network configurations.
- After containment efforts, the adversary attempted to regain access by exploiting ZKTeco ZKBioTime software vulnerabilities, which had not been previously reported in the wild. They also launched targeted phishing attacks, using compromised third-party emails to steal administrator credentials.
Fortinet researchers noted that the attack have common characteristics with a known Iranian nation-state threat actor called Lemon Sandstorm, which is also known as Parisite, Pioneer Kitten and UNC757. Evidence suggests that this group has been active since at 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East and Europe.
According to industrial cyber security company Dragos, the hackers used known virtual private network (VPN) security flaws in Fortinet, Pulse Secure, and Palo Alto Networks to obtain initial access.
In particular, Dragos has identified that the Parisite threat group, operating at least since 2017, is targeting industrial organisations, including those in the oil and gas, water, electric, and gas sectors. These vulnerabilities are being used for initial access to networks and are a key part of the threat group's modus operandi.
The attack analysed by Fortinet against unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim implemented several countermeasures:-
- 15 May, 2023 – 29 April, 2024 - Establishing a foothold by using stolen login credentials to access the victim's SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access.
- 30 April, 2024 – 22 November, 2024 - Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualisation infrastructure.
- 23 November, 2024 – 13 December, 2024 - Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim.
- 14 December, 2024 – Present - Attempts to infiltrate the network continue by exploiting known vulnerabilities and spear-phishing attacks aimed at targeted employees to steal Microsoft 365 credentials.
Other custom malware families and open-source tools used in the attack included:
- HanifNet - An unsigned .NET executable that can retrieve and execute commands from a C2 server (First deployed in August 2023).
- HXLibrary - A malicious IIS module written in .NET that's designed to retrieve three identical text files hosted on Google Docs to fetch the C2 server and send web requests to it (First deployed in October 2023).
- CredInterceptor - A DLL-based tool that can harvest credentials from the Windows Local Security Authority Subsystem Service process memory.
- RemoteInjector - A loader component that's used to execute the next-stage payload like Havoc (First deployed in April 2024).
- RecShell - A web shell used for initial reconnaissance (First deployed in April 2024.
- NeoExpressRAT - A backdoor that retrieves a configuration from the C2 server and likely uses Discord for follow-on communications (First deployed in August 2024).
- DropShell - A web shell with basic file upload capabilities (First deployed in November 2024).
- DarkLoadLibrary - An open-souce loader that's used to launch SystemBC (First deployed in December 2024).
Fortinet said the victim's restricted Operational Technology (OT) network was a key target of the attack based on the threat actor's extensive reconnaissance activity and their breach of a network segment hosting OT-adjacent systems. That said, there is no evidence that the adversary penetrated the OT network.A majority of the malicious activity has been assessed to be hands-on keyboard operations carried out by different individuals, given the command errors and the consistent work schedule.
Furthermore, a deeper examination of the incident has revealed that the threat actor may have had access to the network as early as 15 May 2021."Throughout the intrusion, the attacker leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment," Fortinet said.
"In later stages, they consistently chained four different proxy tools to access internal network segments, demonstrating a sophisticated approach to maintaining persistence and avoiding detection." Fortinet conclude.
Fortinet | CISA | Dragos | Hacker News | Hacker News | Broadcom
Image: Ideogram
You Might Also Read:
Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible