Summary
Fortinet’s FortiGuard Labs has exposed a lengthy state-sponsored cyber intrusion activity aimed at critical national infrastructure in the Middle East, active from May 2023 to February 2025, with initial signs dating back to May 2021. The attackers employed various tactics, starting with the theft of VPN credentials to gain network access, and maintained their foothold using multiple web shells and backdoors, such as Havoc and NeoExpressRAT. Their efforts included reconnaissance on virtualised environments and extensive credential harvesting efforts within segmented operational technology (OT) systems.
Key Points
- This cyber intrusion involved sophisticated espionage tactics over several years, demonstrating advanced capabilities of state-sponsored threat actors.
- Attackers used stolen VPN credentials to infiltrate networks and deployed various malicious tools to maintain persistence.
- The groups behind the attack carefully selected infrastructure to compromise while avoiding U.S.-based systems.
- Despite efforts to contain the intrusion, multiple failed reentry attempts were made by the attackers.
- FortiGuard Labs emphasises the need for organisations to enhance security measures such as multi-factor authentication and stricter password policies.
Why should I read this?
If you think cyber threats aren’t your concern, think again! This article lays bare how state-sponsored actors are playing the long game in cyberattacks, particularly targeting critical infrastructure in the Middle East. With tactics that can easily apply to other regions and sectors, understanding these developments is crucial for broadening your awareness and bolstering your own digital security strategies. We’ve done the digging so you don’t have to!