A recent investigation by the FortiGuard Incident Response (FGIR) team has brought to light a persistent and deeply embedded cyber intrusion targeting critical national infrastructure (CNI) in the Middle East.
The operation, attributed to a state-sponsored threat group, appears to have been driven by espionage and long-term strategic intent.
A breach that spanned years
The intrusion spanned nearly two years, from May 2023 to February 2025, with signs of compromise dating back as far as May 2021. The attack unfolded in four distinct phases:
May 2023 – April 2024 – Establishing a Foothold and Initial Operations: The adversary gained entry using stolen credentials and set up a presence within the organisation’s systems. They installed backdoor programmes and exploited publicly accessible servers to ensure they could return whenever needed.
Once inside, they expanded their access by collecting additional credentials and moving across systems using the Remote Desktop Protocol (RDP) and PsExec – a legitimate tool that allows users to run programmes on remote systems for troubleshooting, deploying software updates and patches, and executing commands and scripts on multiple systems simultaneously.
April 2024 – November 2024 – Consolidating the foothold: After establishing a foothold, the attackers strengthened their position by using tools to bypass security barriers and began gathering targeted email data. They extended their activities into systems supporting virtual environments, signaling a growing interest in more sensitive areas.
November 2024 – December 2024 – Initial remediation and adversary response
Once the victim organisation became aware of the breach, it began taking steps to contain the threat. The attackers responded aggressively by deploying new tools in an attempt to regain control. This included deeper infiltration into key CNI network segments.
December 2024 – Present – Intrusion containment and final adversary response- The organisation eventually succeeded in locking out the attackers, but attackers attempted to re-enter via vulnerabilities in web applications and launched targeted phishing campaigns to steal credentials. Eventually, their multiple failed access attempts were detected and blocked.
The network and attack path
The victim organisation had a well-structured and highly segmented network, including a restricted and tightly controlled Operational Technology (OT) environment. While no confirmed disruption to OT systems was found, FortiGuard investigators found evidence of targeted reconnaissance and credential harvesting, indicating that the attackers were actively exploring the systems, suggesting they had future plans in mind.
Tools of intrusion
The attackers used a mix of custom-built tools and stealthy techniques to avoid providers or platforms that could raise suspicion. They relied on VPS-hosted infrastructure, while avoiding U.S.-based providers. Notable malware variants used include:
- HanifNet – .NET-based backdoor for persistent access. The tool helps attackers maintain silent access.
- HXLibrary – Malicious IIS module used to gain deeper system control.
- NeoExpressRAT – Golang-based backdoor with hardcoded C2 communication. It is a programme used to receive remote instructions.
- RemoteInjector – Loader for executing Havoc backdoors via scheduled tasks. It is used to reactivate dormant backdoors on command.
Lessons learned and defensive recommendations
This incident is a stark reminder that state-sponsored cyber adversaries continue to target and compromise critical infrastructure. CNI remains a top target for advanced cyber attackers, and organisations should prioritise the following defensive measures:
- Enhance credential security by enforcing multi-factor authentication (MFA) for VPN and privileged accounts and implementing strict password policies with regular credential rotation.
- Strengthen network segmentation and monitoring to restrict lateral movement and implement zero-trust architecture with layered access controls.
- Improve endpoint and web security by conducting routine integrity checks on web-facing services and implementing application allowlisting to prevent unauthorised execution.
- Deploy behavioural analytics and EDR solutions to detect anomalies in real-time and conduct regular penetration testing and third-party security reviews.
- Ensure incident response preparedness by developing and testing cybersecurity playbooks for state-sponsored threats and deploying rapid detection and containment capabilities.
Strategic implications
This investigation highlights the persistent and evolving nature of state-backed cyber threats targeting Middle Eastern CNIs. The attackers demonstrated advanced tactics to deeply embed themselves, evade detection, and sustain long-term access.
Despite containment efforts, the attacker has continued efforts to regain access, indicating a long-term strategic interest in this environment.
Organisations must remain vigilant, continuously refining their detection and response strategies to defend against sophisticated, state-sponsored cyber campaigns.
Discussion about this post