FortiGuard incident response team detects intrusion into Middle East critical national infrastructure www.fortinet.com/blog/thre…

The FortiGuard Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group. The attack involved extensive espionage operations and suspected network prepositioning—a tactic often used to maintain persistent access for future strategic advantage. Key insights from the investigation include:

• The attack unfolded in waves, with the adversary deploying new malware and infrastructure over time. They used custom loaders to execute Havoc and SystemBC in memory.
• In addition to publicly available tools, the adversary deployed novel backdoors such as HanifNet, HXLibrary, and NeoExpressRAT, enabling command execution, file operations, and system discovery.
• The adversary avoided U.S.-based infrastructure, instead relying on non-U.S. VPS providers.
• Persistence was maintained through scheduled tasks designed to blend in with legitimate Windows processes.
• Virtualization infrastructure was actively targeted, with the adversary conducting reconnaissance to understand network configurations.
• After containment efforts, the adversary attempted to regain access by exploiting ZKTeco ZKBioTime software vulnerabilities, which had not been previously reported in the wild. They also launched targeted phishing attacks, using compromised third-party emails to steal administrator credentials.