Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure
May 6, 2025, 8:13 p.m.
Description
This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.
Tags
Date
- Created: May 6, 2025, 7:46 p.m.
- Published: May 6, 2025, 7:46 p.m.
- Modified: May 6, 2025, 8:13 p.m.
Indicators
- 84a1ef61993e15722bd6f2eb3f40ced6164332336be70817dd751abeccf30498
- 95.179.217.91
- 95.179.196.58
- 85.237.211.226
- 64.176.165.17
- 89.41.26.206
- 45.66.249.200
- 45.77.7.203
- 5.255.100.203
- 45.147.230.159
- 194.213.18.182
- 199.247.8.233
- 162.33.178.234
- 185.174.101.16
- 185.186.244.66
- 146.70.233.3
- 151.236.22.79
- 154.47.17.157
- 144.202.84.43
- 104.238.191.185
- s3.solarcom.ch
- s3.amazonaws.work
- connect.mozilla.one
- cluster.amazonaws.work
- cdn.update.net
- cdn.gupdate.net
- supportskype.com
- apps.gist.githubapp.net
- savooks.com
- hewlettpackardupdates.info
- encoremir.com
- appstgs.com
- amazonaws.work
- githubapp.net
- gupdate.net
Additional Informations
- Energy
- Government