The FortiGuard Incident Response team has unveiled a detailed report on a long-lasting state-sponsored cyber intrusion targeting critical infrastructure in the Middle East, attributed to an Iranian APT group known as Lemon Sandstorm. This stealth campaign has been active for nearly two years, employing sophisticated techniques to infiltrate and manipulate the infrastructure undetected. The findings emphasize the need for organizations to bolster defenses against such common attack strategies.
Keypoints :
- FGIR reports a state-sponsored intrusion into critical infrastructure in the Middle East, linked to the Iranian APT group Lemon Sandstorm.
- The intrusion is characterized by patient, methodical tactics, with operations spanning from May 2023 to the present.
- Attackers gained access using compromised credentials and deployed multiple web shells and custom backdoors.
- FGIR categorizes the operation into four phases: Initial Foothold, Consolidation, Adversary Response, and Containment Phase.
- At least five novel malware families have been identified, including HanifNet and NeoExpressRAT.
- The attackers modified legitimate web scripts to harvest credentials while maintaining operational stealth.
- Adversaries attempted to re-enter networks during the containment phase through phishing and exploiting web servers.
- The intrusion primarily affected on-premise servers, Microsoft Exchange, and a segmented operational technology (OT) network.
- FGIR stresses the need for organizations to enhance their defenses against established cyber attack tactics for improved resilience.