An Iranian state-sponsored threat group recently targeted a critical national infrastructure (CNI) provider in a Middle Eastern country. Over two years, the group infiltrated the organization’s IT systems but ultimately failed to access the more sensitive operational technology (OT) environment. The campaign highlights the growing focus on infrastructure by nation-state actors and the importance of strong network defenses. According to a May 1 report by Fortinet, the Iran-backed threat group—known as “Lemon Sandstorm”—initially breached the target using stolen VPN credentials.
Within a week, the attackers had installed web shells on two externally-facing Microsoft Exchange servers and later enhanced them to stay hidden. Fortinet began assisting the victim with remediation late last year.
Long-Term Infiltration Strategy
The attackers remained within the organization’s network for nearly 20 months. During that time, they deployed at least five custom malware tools and additional components to maintain long-term access. John Simmons, regional lead for Fortinet’s FortiGuard Incident Response team, noted that the group did not focus on data theft.
“The threat actor did not carry out significant data exfiltration,” Simmons said. “This suggests their primary goal was maintaining long-term access to the OT environment, potentially setting the stage for a future destructive attack.”
This case reflects a wider shift in tactics among cyber threat actors in the Middle East. According to a May 7 report by Positive Technologies, about 34% of successful attacks in the region are executed by advanced persistent threat (APT) groups. These groups commonly target government institutions and national infrastructure, increasing the stakes of each intrusion.
Strategic and Ideological Motives Behind Attacks
Lemon Sandstorm, also known as Fox Kitten and UNC757, has previously been linked to data theft, network disruptions, and even collaboration with ransomware actors. Their recent activities showed enhanced operational security. Despite being eventually removed from the victim’s systems, they spent months attempting to regain access through spear-phishing and exploiting known vulnerabilities.
Fortinet identified more than a dozen tools used in the campaign, including bespoke malware with embedded Farsi religious terms. Nathaniel Jones, vice president of security and AI strategy at Darktrace, says this hints at ideological motives behind the attack.
“The use of Farsi religious references, combined with targeted brute-force attacks on domain admin accounts, suggests a nation-state or intelligence-linked actor,” said Jones. “Their goal likely involves pre-positioning within critical infrastructure, mirroring tactics used by Chinese and Russian cyber operations.”
These incidents underscore how infrastructure systems are becoming battlegrounds for geopolitical conflict, with cyber operations used to exert pressure or prepare for possible kinetic actions.
Segmentation: A Key Defense Strategy
Despite the sophisticated attack, the CNI provider avoided a major catastrophe due to strong network segmentation. Mark Robson, principal threat analyst at Fortinet’s FortiGuard Labs, emphasized how this single security measure hindered the attackers’ progress.
“The strong network segmentation implemented by the victim noticeably elongated the intrusion and prevented lateral movement into the OT environment,” Robson said.
The attackers’ failure also reinforces the importance of defense-in-depth strategies. Fortinet’s report advises organizations to focus less on exotic malware variants and more on blocking common attack vectors. These include lateral movement via remote desktop and file-sharing protocols, the use of open-source offensive tools, and web shell deployments.
To mitigate these threats, companies should implement multi-factor authentication, rapidly apply security patches, and conduct regular incident response drills. These steps significantly increase an organization’s resilience and ability to respond to real-world breaches.
As Middle Eastern governments face increasing cyber threats to critical infrastructure, this incident stands as a reminder of the importance of proactive defense. Without it, the geopolitical ambitions of adversarial states may escalate from mere positioning to full-blown cyber warfare.
