State-sponsored threat actors infiltrated critical systems for over two years, revealing alarming gaps in long-term defense and detection
A sophisticated, state-sponsored cyberattack has penetrated critical national infrastructure (CNI) in the Middle East, remaining undetected for nearly two years, according to a new investigation by the FortiGuard Incident Response (FGIR) team. Traced back as far as May 2021, the attackers exploited stolen credentials and leveraged tools like PsExec and Remote Desktop Protocol (RDP) to gain lateral movement across highly segmented systems.
The campaign unfolded in four calculated phases—from initial access and silent expansion to attempted reentry even after initial containment. Despite the organization’s robust segmentation and restricted Operational Technology (OT) environment, attackers conducted detailed reconnaissance and credential harvesting, hinting at long-term strategic espionage goals.
“The adversary’s ability to embed itself over years, bypass detection, and pursue re-entry even after containment is a chilling reminder of the evolving threat landscape for national infrastructure.”
The adversary deployed a customized arsenal including:
- HanifNet (.NET-based persistent backdoor)
- HXLibrary (malicious IIS module)
- NeoExpressRAT (Golang-based backdoor with hardcoded C2)
- RemoteInjector (loader for reactivating Havoc malware)
Avoiding U.S.-based infrastructure, the attackers relied on VPS-hosted systems and stealthy techniques to remain under the radar.
“They focused on avoiding high-profile detection, building out long-term access, and when confronted, doubling down with new tools to regain control.”
Though the victim eventually blocked access and neutralized active threats, failed phishing campaigns and renewed exploit attempts indicate that the attackers remain committed to regaining entry.
FortiGuard recommends multi-layered mitigation measures, including zero trust segmentation, multi-factor authentication, EDR deployment, and routine third-party penetration testing. The attack underlines the strategic focus of cyber adversaries on CNI—where persistent access can provide geopolitical advantage or set the stage for future sabotage.
As cyber-physical threats escalate, Middle East organizations must adopt proactive threat hunting and continuously evolve their security postures to counter these deeply embedded and politically motivated attacks.
