Middle Eastern critical infrastructure targeted by long-term Iranian cyberattack

Iranian state-backed hacking operation Lemon Sandstorm, also known as Pioneer Kitten, Parisite, and UNC757, has targeted a Middle Eastern critical national infrastructure in a multi-stage cyberattack between May 2023 and February 2025, according to The Hacker News.

After infiltrating the CNI's SSL VPN system, deploying web shells and the Havoc, HXLibrary, and HanifNet backdoors between May 15, 2023 and April 29, 2024, Lemon Sandstorm distributed additional web shells and the NeoExpressRAT backdoor, as well exfiltrated emails and performed lateral movement between April 30, 2024 and November 22, 2024, a report from the FortiGuard Incident Response team showed. Both MeshCentral Agent and SystemBC backdoors were then delivered between November 23, 2024 and December 13, 2024 before Lemon Sandstorm decided to leverage Biotime security flaws and launch spear-phishing intrusions beginning December 14. Such intrusions were characterized by the utilization of chained proxies, which researchers said showed "a sophisticated approach to maintaining persistence and avoiding detection."