Full Report
Fortinet’s FortiGuard Labs Incident Response (FGIR) team uncovered a prolonged cyber intrusion targeting critical national infrastructure in the... The post Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Prolonged State-Sponsored Intrusion into Middle East Critical Infrastructure
## Executive Summary
A sophisticated state-sponsored threat actor conducted a prolonged cyber espionage campaign against critical national infrastructure in the Middle East, active from at least May 2023 to February 2025, stemming potentially from May 2021. The attackers gained initial access via compromised VPN credentials, utilized custom malware (Havoc, HanifNet, HXLibrary, NeoExpressRAT), and employed proxy tools to bypass network segmentation, targeting deep access to IT and OT environments. Despite containment efforts, the adversary demonstrated persistent attempts to regain access, highlighting the long-term strategic interest in the victim's network.
## Incident Details
- **Discovery Date:** Indicated by the start of the response phase (Phase 3: November 2024, though the threat campaign was active earlier).
- **Incident Date:** Active from at least May 2023 to February 2025, with indications dating back to May 2021.
- **Affected Organization:** Critical National Infrastructure in the Middle East.
- **Sector:** Critical Infrastructure (likely including IT and OT environments).
- **Geography:** Middle East.
## Timeline of Events
### Initial Access
- **Date/Time:** At least May 2023 (Start of Phase 1).
- **Vector:** Stolen SSL VPN credentials.
- **Details:** Attackers logged into the victim’s network using valid, externally compromised credentials.
### Lateral Movement
- **Date/Time:** Phase 1 (May 2023 - April 2024) and Phase 2 (April - November 2024).
- **Vector:** Remote Desktop Protocol (RDP) and PsExec.
- **Details:** After initial deployment of web shells and backdoors, the attackers moved laterally using standard internal protocols, subsequently chaining proxy tools (plink, Ngrok, Glider Proxy, ReverseSocks5) to bypass network segmentation between IT and restricted OT segments. They also conducted reconnaissance on virtualization infrastructure.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing, noted specifically during Phase 2.
- **Impact:** Exfiltration of targeted email data; extensive espionage and network reconnaissance aimed at prepositioning for long-term strategic access, including hostile interest shown toward the OT environment.
### Detection & Response
- **How it was discovered:** Detection occurred prior to November 2024, triggering initial containment efforts (Phase 3).
- **Response actions taken:** The victim implemented containment measures starting around November 2024, resulting in the successful removal of the adversary’s access by December 2024.
## Attack Methodology
- **Initial Access:** Stolen credentials for SSL VPN login.
- **Persistence:** Multiple web shells, custom backdoors (Havoc, HanifNet, HXLibrary, NeoExpressRAT), and the use of scheduled tasks mimicking legitimate Windows processes.
- **Privilege Escalation:** Not explicitly detailed, but implied by lateral movement via RDP/PsExec and credential harvesting.
- **Defense Evasion:** Execution of custom loaders to inject Havoc and SystemBC directly into memory, avoiding disk-based detection; utilizing non-U.S. based VPS infrastructure.
- **Credential Access:** Stealing additional credentials post-initial access using deployed tools.
- **Discovery:** Detailed reconnaissance of network configurations and virtualization infrastructure.
- **Lateral Movement:** RDP, PsExec, and chaining proxy tools to pivot across network segments.
- **Collection:** Targeted email data was exfiltrated.
- **Exfiltration:** Details not specified, but exfiltration occurred via established command and control channels.
- **Impact:** Espionage and prepositioning for future disruption, though no confirmed disruption to OT systems was found.
## Impact Assessment
- **Financial:** Not publicly estimated.
- **Data Breach:** Targeted email data exfiltration detailed; extensive reconnaissance suggests deep compromise of intellectual or operational data.
- **Operational:** No confirmed disruption to Operational Technology (OT) systems, but the adversary demonstrated intent to compromise these areas.
- **Reputational:** Implied negative impact due to the nature of the breach (state-sponsored targeting of critical infrastructure).
## Indicators of Compromise
- **Network Indicators (Defanged):** Use of VPS hosted by non-U.S. providers; use of proxy tools: `plink`, `Ngrok`, `Glider Proxy`, `ReverseSocks5`.
- **File Indicators:** Backdoors identified: `Havoc`, `HanifNet`, `HXLibrary`, `NeoExpressRAT`, `SystemBC`, `MeshCentral`.
- **Behavioral Indicators:** Deployment of custom loaders for in-memory execution; creation of scheduled tasks mimicking legitimate Windows processes; targeted reconnaissance of virtualization infrastructure.
## Response Actions
- **Containment Measures:** Initial containment efforts began around November 2024, successfully removing the primary access points by December 2024.
- **Eradication Steps:** Involves the removal/blocking of deployed web shells and backdoors across the environment.
- **Recovery Actions:** Subsequent to containment, the adversary attempted reentry via vulnerability exploitation (ZKTeco ZKBioTime software) and phishing, all of which were detected and blocked.
## Lessons Learned
- **Key Takeaways:** State-sponsored actors conduct long-term, multi-phased intrusions characterized by advanced evasion techniques (in-memory execution) and meticulous planning to maintain strategic access, specifically showing high interest towards OT environments.
- **What could have been done better:** The initial access via stolen VPN credentials suggests MFA was likely absent or bypassed for those accounts. The lateral movement despite segmentation indicates the proxy chaining techniques successfully bypassed layered controls.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Enforce Multi-Factor Authentication (MFA) for all VPN and privileged accounts; enforce strict credential rotation policies.
2. Strengthen network segmentation monitoring, particularly between IT and OT environments, to detect proxy chaining designed to bypass these controls.
3. Adopt a Zero Trust architecture with layered access controls.
4. Conduct routine integrity checks on web-facing services and implement application allowlisting to prevent unauthorized execution.
5. Deploy robust EDR solutions capable of behavioral analytics to detect anomalies like in-memory execution.
6. Conduct regular penetration testing and third-party security reviews to identify architecture weaknesses, including newly emerging software vulnerabilities (e.g., ZKTeco ZKBioTime).
7. Develop and regularly test incident response playbooks specific to complex, state-sponsored persistent threats.