Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware

Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware

A state-sponsored Iranian threat group has been linked to a persistent cyber intrusion targeting a crucial national infrastructure in the Middle East from May 2023 to February 2025. The operation involved extensive espionage and advanced techniques to maintain ongoing access for future strategic leverage, drawing similarities to the notorious Lemon Sandstorm group. Affected: Critical National Infrastructure (CNI) in the Middle East

Keypoints :

  • The attack involved multiple stages, beginning with the exploitation of stolen credentials to gain access to the victim’s SSL VPN.
  • Advanced tools and backdoors, including Havoc, HanifNet, NeoExpressRAT, and others were deployed throughout the intrusion.
  • The threat actors utilized known VPN security flaws to gain initial access, targeting critical sectors such as aerospace, oil and gas, and electric utilities.
  • Efforts to re-infiltrate the network included exploiting specific vulnerabilities and spear-phishing tactics aimed at employees for credential harvesting.
  • The operational methodology displayed sophisticated proxy chaining and hands-on keyboard activity, suggesting a well-organized team behind the attacks.
  • Despite extensive reconnaissance and targeting efforts on the Operational Technology (OT) network, there is no evidence of successful penetration into the OT environment.
  • Some of the custom malware families used included HanifNet, HXLibrary, and SystemBC, each designed for various stages of the cyber operation.

Read More: https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.html