A state-sponsored hacking group conducted a nearly two-year cyber-espionage campaign targeting critical national infrastructure (CNI) in the Middle East, using novel malware to breach and maintain access across both IT and operational technology (OT) networks, according to a new report.
The investigation by Fortinet’s FortiGuard Labs Incident Response (FGIR) team detailed a persistent intrusion from 2023 to early 2025, which involved sustained espionage and suspected network prepositioning for potential future attacks.
During the multi-phase operation, the threat actor gained initial entry using compromised VPN credentials and deployed multiple custom backdoors, including malware identified as HanifNet, HXLibrary, and NeoExpressRAT. The group then bypassed network segmentation using proxy tools such as Ngrok and ReverseSocks5 to move between the organisation’s information technology (IT) and operational technology (OT) environments.
While the report confirmed no disruption to OT systems, it noted significant reconnaissance activity within these restricted networks. The attackers also targeted virtualisation infrastructure to deepen their access. Even after being removed from the network, the group made repeated attempts to re-establish a foothold by exploiting third-party software and using phishing attacks, signalling a long-term strategic objective.
The findings mirror a broader trend detailed in Fortinet’s 2024 State of Operational Technology and Cybersecurity Report. According to that report, 73% of OT organisations globally have now experienced cyber intrusions, a significant increase from 49% in 2023. Attacks targeting OT systems specifically also rose to 24%, up from 17% the previous year.
This trend has led to a shift in oversight, with 60% of organisations now reporting that responsibility for OT cybersecurity rests at the executive level with the CISO, CIO, or COO.
Fortinet’s 2025 Global Threat Landscape Report also noted that state-sponsored groups remain highly active, primarily targeting government, technology, and education sectors. The Middle East remains a high-risk region, with Europe, theMiddle East, and Africa (EMEA) accounting for 26% of all recorded global exploitation attempts. The report also linked over 60% of global hacktivist campaigns to geopolitical causes.
To defend against such persistent and well-resourced adversaries, FortiGuard Labs recommends that organisations prioritise several key defensive measures. These include enforcing multi-factor authentication (MFA) and regular credential rotation, deploying a zero-trust architecture with network segmentation, and implementing endpoint detection and response (EDR) with behavioural analytics.
The report concluded that this investigation highlights the evolving nature of state-backed cyber threats and underscores the growing need for continuous monitoring and adaptive defence strategies to protect critical infrastructure.
