An Iran-linked hacking group embedded itself deep into a rival Middle Eastern country’s infrastructure network for over 20 months, deploying stealthy malware and custom tools — but ultimately failed to breach its operational technology systems.
Security researchers from Fortinet revealed this week that the attackers exploited stolen VPN credentials to access the IT network of a critical national infrastructure (CNI) provider, setting up a sophisticated long-term foothold. Their primary target, however — the OT systems that control real-world operations — remained out of reach, thanks to strong segmentation and defensive measures.
Long Game with High Stakes
The infiltration began quietly — and early. According to Fortinet’s May 1 report, attackers first gained access to the victim’s network at least two years ago.
Within days, they installed web shells on Microsoft Exchange servers. Over the next year and a half, they upgraded those backdoors, added stealth features, and slowly expanded their presence.
Then came five tailor-made tools. One of them, dubbed “HanifNet,” was previously undocumented and had traces of religious references in Farsi. It’s one of the key clues pointing to the Iran-backed group known as Lemon Sandstorm, also referred to as Fox Kitten or UNC757.
There’s no sign the group stole data or demanded ransom. That’s not what this was about.
“The whole operation looked more like a silent stakeout than a smash-and-grab,” said John Simmons of Fortinet’s FortiGuard Incident Response team.
Looking but Not Touching: Intent Over Theft
The group’s true objective, experts believe, wasn’t financial gain or data theft.
Their goal? Long-term access to the OT environment. But they never got there.
Nathaniel Jones from Darktrace said the attackers displayed “surgical patience” and appeared more interested in pre-positioning than pulling the trigger. He compared their tactics to those used in Volt Typhoon, the China-linked threat actor, and Russia’s GRU operations in Ukraine.
It’s a chilling thought.
“They didn’t exfiltrate anything big, didn’t trigger any alarms — just quietly maintained access,” Jones noted. “That kind of patience signals national interest, not personal profit.”
Even after being discovered, the group didn’t give up. They launched spear-phishing campaigns and probed for weaknesses. But the defenders were a step ahead.
Sophisticated Tools, Familiar Tricks
Despite deploying a half-dozen custom tools, Lemon Sandstorm mostly stuck with tried-and-tested techniques — a tactic that made them harder to detect.
Web shells. Credential harvesting. Remote desktop exploitation. These aren’t new tricks, but they’re still wildly effective.
Security experts say organizations can do a lot by focusing less on shiny new malware variants and more on the basics. The Fortinet report made that point clear:
-
Prioritize patching of known vulnerabilities (n-days)
-
Deploy MFA across all privileged accounts
-
Limit lateral movement using segmentation
-
Monitor for abuse of remote access tools
“You don’t need to chase zero-days if you can exploit a forgotten patch,” said Simmons.
Tool Timeline Shows a Calculated Strategy
One particularly revealing aspect of the breach is how the attackers layered their tools over time — methodically, not chaotically.
Here’s a simplified look at how different components were introduced:
| Month | Tool/Technique Introduced | Purpose |
|---|---|---|
| 1 | VPN Access (via stolen credentials) | Initial entry |
| 1 | Web Shells on Exchange Servers | Persistence & control |
| 4 | Custom Malware (HanifNet) | Stealth access & command exec |
| 9 | Credential Dumpers | Privilege escalation |
| 14 | Remote Desktop Lateral Movement | Network-wide infiltration |
| 18 | Spear-phishing Attempts | Reentry post-detection attempt |
That timeline shows serious planning. Not something put together by weekend hackers or thrill-seekers.
Targeting Trends in the Middle East
Attacks like this aren’t isolated. State-backed threat groups are doubling down on CNI in the Middle East.
According to a May 7 report by Positive Technologies, one-third of all successful cyberattacks in the region are carried out by APT groups — often with direct links to nation-states.
The stakes are high. One hit to a power grid, water supply, or telecom network could send shockwaves far beyond the target country’s borders.
Alexey Lukash, a threat analyst with Positive Technologies, warned that Middle Eastern governments must ramp up defenses — not just reactively, but preemptively.
“The threat landscape is changing fast,” he said. “CNI must be prioritized. The price of inaction is simply too high.”
Segmentation: The Unsung Hero
So why didn’t Lemon Sandstorm reach the OT systems?
By keeping their IT and OT environments separate — both digitally and physically — the target organization managed to block lateral movement. That segmentation made the attackers’ job exponentially harder.
Mark Robson from FortiGuard Labs said the segmentation “elongated the intrusion” and slowed down the attackers enough to give defenders time to respond.
Segmentation saved the day.
And it wasn’t just about architecture. The team had rehearsed incident response protocols, meaning they didn’t panic when things got hairy. That calm, measured reaction helped limit the fallout.
Lessons Beyond Firewalls
This breach, while alarming, is packed with lessons.
For starters, even highly disciplined APT groups can be stopped — with the right mix of preparation, architecture, and watchfulness. Cybersecurity isn’t just about gadgets and dashboards; it’s about planning, discipline, and execution.
It’s also a reminder that some attackers are playing the long game. They’re not here to crash systems or steal credit cards. They want access. They want leverage. They want options.
That’s why network segmentation, MFA, patch hygiene, and trained staff matter so much more than fancy AI dashboards or the latest antivirus engine.
Because sometimes, simple steps beat complex threats.
