CyberSecurity news

FlagThis - #iran

@www.dhs.gov //

US organizations hit by Iranian Hacktivist Cyberattacks - Iran-aligned hacktivist groups launched DDoS attacks on U.S. organizations, including U.S. Air Force websites and financial services, following U.S. airstrikes on Iranian nuclear sites.
Following U.S. airstrikes on Iranian nuclear sites on June 21, 2025, a wave of cyberattacks has been launched against U.S. organizations by Iran-aligned hacktivist groups. Cyble threat intelligence researchers reported that in the first 24 hours after the strikes, 15 U.S. organizations and 19 websites were targeted with DDoS attacks. Groups such as Mr Hamza, Team 313, Keymous+, and Cyber Jihad have claimed responsibility, targeting U.S. Air Force websites, aerospace and defense companies, and financial services organizations.

The attacks have been framed as retaliation for U.S. involvement in the ongoing Israel-Iran conflict, with the groups using the hashtag #Op_Usa to deface websites and leak credentials. The U.S. Department of Homeland Security (DHS) issued a bulletin on June 22, 2025, warning of likely low-level cyber attacks against U.S. networks by pro-Iranian hacktivists, noting that cyber actors affiliated with the Iranian government may also conduct attacks. This warning highlights the escalating cyber warfare activity between the two nations.

In a notable incident, Donald Trump's social media platform, Truth Social, was paralyzed by a DDoS attack just hours after the U.S. airstrikes. The hacker group “313 Team” claimed responsibility, stating the attack was in response to President Trump's announcement of the successful strikes on Iranian nuclear sites. The DHS emphasizes that this cyber activity reflects an increasing shift of geopolitical tensions into the digital space, further intensifying the cyber security concerns.

Recommended read:
References :
  • thehackernews.com: The United States government has warned of cyber attacks mounted by pro-Iranian groups after it launched airstrikes on Iranian nuclear sites as part of the Iran–Israel war that commenced on June 13, 2025.
  • www.cybersecuritydive.com: Federal officials are warning that pro-Iran hacktivists or state-linked actors may target poorly secured U.S. networks.
  • www.scworld.com: Feds tell companies to prepare for cyberattacks on U.S. systems.
  • Cyber Florida at USF: CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity
  • cyble.com: The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.
  • thecyberexpress.com: Iran-aligned hacktivists launched DDoS attacks against 15 U.S. organizations and 19 websites in the first 24 hours after the U.S. bombed Iranian nuclear targets on June 21, Cyble threat intelligence researchers reported today.
  • www.dhs.gov: U.S. entry into the conflict has drawn retaliation from hacktivist groups, with attack claims ranging from credible to questionable. In the wake of the U.S. involvement, the Department of Homeland Security (DHS) on June 22 that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and affiliated with the Iranian government may conduct attacks against US networks.
  • www.esecurityplanet.com: US Warns of Iranian Cyber Threats as Tensions Rise Over Middle East Conflict
  • www.cybersecuritydive.com: DHS Warns of Heightened Cyber Threat as US Enters Iran Conflict
  • techcrunch.com: Homeland Security warns of Iran-backed cyberattacks targeting US networks
@www.elliptic.co //

Israel and Iran Cyber Conflict Intensifies Financial Targets - Cyber warfare escalates between Israel and Iran, targeting financial systems and critical infrastructure, leading to internet shutdowns and significant disruptions.
Cyber warfare between Israel and Iran has significantly escalated, marked by disruptions to financial systems and critical infrastructure. In response to recent cyberattacks, the Iranian government admitted to shutting down the internet to protect against further Israeli incursions. This near-total internet blackout has severely limited Iranians' access to information about the ongoing conflict and their ability to communicate with loved ones both inside and outside the country. The government cited hacks on Bank Sepah and the cryptocurrency exchange Nobitex as reasons for restricting internet access.

The cyberattacks included a major outage at Bank Sepah, where the attackers, a group called Predatory Sparrow, claimed to have deleted data, exfiltrated internal documents, and destroyed backups. Predatory Sparrow also claimed responsibility for draining over $90 million in cryptocurrency from Nobitex, Iran's largest crypto exchange, rendering the stolen funds inaccessible. The group, which purports to be pro-Israel hacktivists, has previously disrupted key services in Iran, such as gas stations and steel plants.

The U.S. cybersecurity groups have issued advisories warning that Iranian-affiliated threat actors may retaliate globally, targeting American companies in sectors like energy, finance, healthcare, and logistics. These alerts urge CISOs to elevate monitoring and reinforce incident response protocols due to the heightened geopolitical risk. The cyber conflict between Israel and Iran marks a significant turning point, with potential global implications for cybersecurity.

Recommended read:
References :
  • techcrunch.com: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout. "I haven’t heard from them in two days, but someone is supposed to update me. I hope everything is okay," Amir Rashidi told me.
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown. The escalation marks one of the most comprehensive campaigns of cyber warfare in recent memory.
  • securityaffairs.com: Iran experienced a near-total national internet blackout
  • techcrunch.com: Iran’s government says it shut down internet to protect against cyberattacks
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange
  • industrialcyber.co: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • nsfocusglobal.com: The Hacktivist Cyber Attacks in the Iran-Israel Conflict
  • ThreatMon: Iran-Israel Cyber Conflict Analysis of Threat Actors
Matt Burgess@WIRED //

Iran Shuts Down Internet Amid Cyberattack Fears - The Iranian government admits to shutting down the internet to protect against cyberattacks, citing recent hacks on Bank Sepah and cryptocurrency exchange Nobitex, raising concerns about censorship and access to information.
References: techcrunch.com , WIRED , SecureWorld News ...
The Iranian government has admitted to shutting down internet access across the country, citing the need to protect against ongoing Israeli cyberattacks. This drastic measure, implemented in the midst of escalating tensions and kinetic conflict between the two nations, has resulted in a near-total national internet blackout, severely limiting Iranians' access to vital information and their ability to communicate with loved ones both within and outside the country. The government's spokesperson, Fatemeh Mohajerani, stated that the decision was made due to witnessing cyberattacks on critical infrastructure and disruptions in banking systems, also referencing recent hacks on Bank Sepah and the Nobitex cryptocurrency exchange.

The internet shutdown, described as the "worst" in the history of Iran's internet control, began on June 18th and continued into the next day, with monitoring firm NetBlocks reporting a connectivity drop of over 97%. Doug Madory, director of internet analysis at Kentik, noted a 54% drop in connectivity on June 13th, followed by another 49% on June 17th, and a further 90% decrease on Wednesday. This unprecedented defensive maneuver, described as Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict, reflects an attempt to establish a digital choke point and stymie the propagation of rapidly executed cyber intrusions, such as DDoS attacks and malware spread.

The cyber conflict between Israel and Iran has intensified, with a group called Predatory Sparrow claiming responsibility for attacks on Iranian institutions. These attacks included major outages at Bank Sepah and the draining of over $90 million in cryptocurrency from Nobitex. Additionally, reports emerged of Predatory Sparrow infiltrating Iran's state broadcast systems to display protest imagery and anti-regime messages. The internet restrictions are pushing Iranian citizens toward domestic apps, which may not be secure, adding to the dangers faced by civilians amid Israeli bombings and creating a cybersecurity watershed moment with potential global implications.

Recommended read:
References :
  • techcrunch.com: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks.
  • WIRED: Iran’s Internet Blackout Adds New Dangers for Civilians Amid Israeli Bombings | WIRED
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks.
  • techcrunch.com: Iran’s government says it shut down internet to protect against cyberattacks The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
  • securityaffairs.com: Iran experienced a near-total internet blackout on Wednesday as tensions with Israel escalated into the first week of conflict.
Rescana@Rescana //

Iran Increasing Cyberattacks Amidst Regional Conflict - Amidst escalating regional conflicts, Iran shut down internet access, impacting communication and raising concerns about cyber warfare, while facing cyber threats from entities like Israeli-linked hackers.
References: infosec.exchange , WIRED ,
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.

The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%.

In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange.

Recommended read:
References :
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • WIRED: Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information. —
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict
Nicholas Kitonyi@NFTgators //

Pro-Israel Hackers Steal From Iranian Crypto Exchange - A pro-Israel hacking group, Predatory Sparrow, attacked Iran’s Nobitex crypto exchange, stealing and destroying $90M in cryptocurrency to send an anti-government message.
A pro-Israel hacking group, known as Predatory Sparrow, has claimed responsibility for a cyberattack against Nobitex, Iran’s largest cryptocurrency exchange. The attack resulted in the theft of approximately $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, as well as over 100 other cryptocurrencies. According to blockchain analytics firm Elliptic, the funds were drained from the exchange’s wallets into blockchain addresses containing anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC).

The attackers, instead of attempting to profit financially, intentionally destroyed the stolen cryptocurrency in what has been described as a symbolic political statement. The funds were sent to blockchain addresses with the phrase "F***iRGCTerrorists" embedded within them. Experts say that generating addresses with such specific terms requires significant computing power, suggesting the primary goal was to send a message rather than to gain financially. The incident underscores the rising geopolitical tensions between Israel and Iran and the vulnerability of cryptocurrency exchanges to politically motivated cyberattacks.

The cyberattack on Nobitex is part of a broader pattern of cyber warfare between Israel and Iran. While the physical conflict has seen airstrikes and other military actions, the digital realm has become another battleground, with potentially significant repercussions for both countries and the wider global community. This incident also follows reports of internet restrictions within Iran, limiting citizens' access to information and communication amidst escalating tensions. The global cybersecurity community needs to stay prepared for security repercussions for the two combatants and the wider global community as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region.

Recommended read:
References :
  • Zack Whittaker: This article also discusses the attack against Nobitex, noting the financial losses and the involvement of a pro-Israel hacking group.
  • techcrunch.com: This news source provides information about the attack against Nobitex, mentioning the theft and destruction of cryptocurrency.
  • Metacurity: This article reports on the attack against Nobitex by the Predatory Sparrow group, highlighting the financial impact and geopolitical context of the event.
  • NFTgators: This news piece details the financial impact of the attack on Nobitex and the potential geopolitical implications.
  • WIRED: This article covers the same event with additional details about the actions of the attacker group and their motives.
  • aboutdfir.com: Pro-Israel hackers drained $90 million from Iran crypto exchange, analytics firm says
  • fortune.com: Pro-Israel group hacks Iranian crypto exchange for $90 million—but throws away the money
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • www.elliptic.co: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
Ben Weiss@fortune.com //

Iran Crypto Exchange Hacked by Predatory Sparrow - Pro-Israel hacktivist group Predatory Sparrow claimed responsibility for hacking Iran’s largest crypto exchange, Nobitex, resulting in the theft and destruction of approximately $90 million in cryptocurrency.
A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.

The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach.

The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures.

Recommended read:
References :
  • infosec.exchange: LorenzoFB post on Infosec Exchange about the group claiming responsibility for Iranian Bank Hack.
  • techcrunch.com: TechCrunch article on pro-Israel hacktivist group claiming responsibility for Iranian bank hack
  • Risky Business Media: Risky Bulletin: Israel-linked hackers claim Iran bank disruption
  • techcrunch.com: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • CyberScoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
  • fortune.com: The hackers, who call themselves Predatory Sparrow, sent the funds to likely inaccessible blockchain addresses, burning the cryptocurrency.
  • Zack Whittaker: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • www.nftgators.com: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex
  • bsky.app: My latest for BBC Persian: 'Predatory Sparrow' hackers stole $90 million from Iranian cryptocurrency company to 'send a message'.
  • WIRED: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
  • NFTgators: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex.
  • Metacurity: Metacurity reports on the Predatory Sparrow group's activities, including the Nobitex attack and other Iranian targets.
  • Risky Business Media: Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran’s financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on Youtube.
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says  Iran’s largest cryptocurrency exchange, Nobitex, was hacked for more than $90 million Wednesday, according to blockchain analytics firm Elliptic.
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut
  • www.metacurity.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says 
  • The Hacker News: Iran's State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • CyberScoop: This article reports on the cyberattack claimed by Predatory Sparrow against Iran's Bank Sepah.
  • cyberriskleaders.com: This episode of Risky Business discusses the $90 million crypto hack of the Iranian exchange, Nobitex, and other recent cybersecurity incidents in the context of the Israeli-Iranian conflict. The hosts, Patrick Gray and Adam Boileau, are joined by special guest Chris Krebs to discuss various threat actor tactics and trends.
  • www.elliptic.co: The Israeli-linked Gonjeshke Darande hacking group claimed responsibility for the attack.
  • Industrial Cyber: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Web3 is Going Just Great: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • industrialcyber.co: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Risky Business Media: Russian hackers abuse app-specific passwords to bypass multi-factor, the tenth Salt Typhoon victim is identified, Predatory Sparrow destroys $90 million from an Iranian crypto-exchange, and Argentina arrests a Russian disinfo gang.
  • Risky Business Media: Between Two Nerds: The evil genius of Predatory Sparrow
@therecord.media //

Iranian APT BladedFeline Espionage Campaign Unveiled by ESET - ESET researchers have uncovered an Iranian APT group named BladedFeline targeting government and telecom networks in Kurdistan, Iraq, and Uzbekistan since 2017, utilizing malware like Whisper and Spearal for cyber espionage.
ESET researchers have revealed a long-running cyber espionage campaign conducted by an Iranian APT group named BladedFeline. The group has been actively targeting government and telecom networks in Kurdistan, Iraq, and Uzbekistan since at least 2017. BladedFeline is believed to be a subgroup of OilRig, a well-documented Iranian state-backed actor, and has managed to stay undetected within these networks for approximately eight years, continually expanding its cyber espionage capabilities.

BladedFeline utilizes a variety of malicious tools for maintaining and expanding access within targeted organizations. Notable malware includes Shahmaran, a simple backdoor used against Kurdish diplomatic officials, and more sophisticated tools like Whisper and PrimeCache. Whisper communicates with attackers through email attachments sent via compromised Microsoft Exchange webmail accounts, while PrimeCache bears similarities to RDAT, a backdoor previously associated with OilRig. Researchers suggest that BladedFeline may have initially gained access to Iraqi government systems by exploiting vulnerabilities in internet-facing servers, using a webshell called Flog to maintain control.

The group's targeting reflects Iran's strategic interests in the Middle East. The Kurdistan Regional Government's diplomatic relationships and oil reserves make it an attractive target for espionage, while the focus on Iraqi governmental circles suggests an attempt to counter Western influence. ESET warns that BladedFeline is likely to continue developing its malware arsenal to retain access to compromised systems for cyber espionage purposes. The discovery highlights the persistent threat posed by Iranian APT groups and the need for robust cybersecurity measures to protect critical infrastructure and sensitive government data.

Recommended read:
References :
  • cyberpress.org: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
  • The Hacker News: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware
  • therecord.media: Iran-linked hackers target Kurdish, Iraq cyber espionage
  • Cyber Security News: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
  • Catalin Cimpanu: -New Imn Crew ransomware gang -Malware reports on ViperSoftX, Play ransomware, Chaos RAT -PathWiper destructive attacks hit Ukraine -UNC1151 targets Roundcube servers in Poland -Bitter APT formally linked to India -BladedFeline APT (aka Oilrig) op targets Iraq -OpenAI disrupts APTs and info-ops abusing ChatGPT -New Roundcube under attack -Cellebrite buys Corellium -OWASP Top 10 for Business Logic Abuse -YARA-X reaches v1.0
  • www.welivesecurity.com: ESET researchers analyse a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig. The group added 2 reverse tunnels (Laret & Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache) & various tools
  • www.scworld.com: Multi-year cyberespionage campaign launched by BladedFeline APT
  • WeLiveSecurity: BladedFeline: Whispering in the dark
  • The Record: Researchers at ESET describe the activities of an Iran-linked group that has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and expanding its reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.
  • ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
  • ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
  • ESET Research: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.
  • github.com: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.
info@thehackernews.com (The@The Hacker News //

Iranian Hackers Target Middle East CNI in Long Term Attack - An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East.
A long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East has been attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, entailed extensive espionage operations and suspected network prepositioning, a tactic used to maintain persistent access for future strategic advantage. The network security company noted that the attack exhibits tradecraft overlaps with Lemon Sandstorm (formerly Rubidium), also tracked as Parisite, Pioneer Kitten, and UNC757, an Iranian nation-state threat actor active since at least 2017.

The attackers gained initial access by exploiting stolen login credentials to access the victim's SSL VPN system, deploying web shells on public-facing servers, and deploying three backdoors: Havoc, HanifNet, and HXLibrary, for long-term access. They further consolidated their foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure. In response to the victim's initial containment and remediation steps, the attackers deployed more web shells and two more backdoors, MeshCentral Agent and SystemBC.

Even after the victim successfully removed the adversary's access, attempts to infiltrate the network continued by exploiting known Biotime vulnerabilities and spear-phishing attacks aimed at employees to harvest Microsoft 365 credentials. Researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The custom tools, such as NeoExpressRAT, a Golang-based backdoor with hardcoded command and control communication capabilities, allowed the threat actors to maintain persistent access while evading traditional detection methods.

Recommended read:
References :
  • The Hacker News: An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
  • cybersecuritynews.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • gbhackers.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • securityonline.info: Recently, the FortiGuard Incident Response (FGIR) team has released an in-depth analysis detailing a prolonged, state-sponsored intrusion into The post appeared first on .
  • gbhackers.com: A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group.
  • www.scworld.com: Middle Eastern critical infrastructure targeted by long-term Iranian cyberattack
  • industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Industrial Cyber: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.

Posts

Blogs

Research Tools