An Iranian state-sponsored threat group has been linked to a prolonged cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, with activities spanning nearly two years. Security firm FortiGuard Incident Response (FGIR) reported that this cyber espionage campaign, initiated in May 2023 and continuing through February 2025, has raised significant concerns regarding national security.
The report highlighted the techniques used by the attackers, suggesting extensive reconnaissance and the use of network prepositioning to maintain persistent access for potential future operations. The group is believed to be connected to the known Iranian cyber threat actor known as Lemon Sandstorm, previously referred to as Rubidium and other aliases. This actor has been observed targeting various sectors including aerospace, oil and gas, and utilities across multiple regions including the United States, Europe, and Australia.
During the analysis of this ongoing attack, it was noted that the initial phase involved the appropriation of stolen credentials to gain access to the victim’s SSL VPN system. The threat actors deployed backdoors and web shells to facilitate long-term access, employing a series of tools to gain deeper penetration within the network. Later stages of the attack involved attempts at regaining control after initial containment measures were implemented by the victim.
U.S. cybersecurity and intelligence agencies have previously flagged Lemon Sandstorm for deploying ransomware against targets in nations including the U.S., Israel, and the UAE, underlining the group’s increasing activity and the potential threat they pose. Despite extensive infiltration attempts, there remains no evidence that the perpetrators have accessed the victim’s operational technology network, primarily due to counteractive measures taken by cybersecurity teams. The report from Fortinet illustrates not only the sophistication of the attack but also the persistent threat posed by state-sponsored hackers.