Iranian Cyber Espionage: Lemon Sandstorm’s Prolonged Attack on Middle East Critical Infrastructure

Breached Company

Breached Company

7 min read
Iranian Cyber Espionage: Lemon Sandstorm’s Prolonged Attack on Middle East Critical Infrastructure
Photo by Khashayar Kouchpeydeh / Unsplash

Introduction

Between May 2023 and February 2025, the Iranian state-sponsored hacking group Lemon Sandstorm, also known as Rubidium, Parisite, Pioneer Kitten, or UNC757, conducted a sophisticated and prolonged cyber espionage campaign targeting critical infrastructure in the Middle East. Exploiting vulnerabilities in VPN systems from Fortinet, Pulse Secure, and Palo Alto Networks, the group deployed web shells and eight custom tools to maintain persistent access, steal sensitive data, and preposition networks for potential future attacks. Active since at least 2017, Lemon Sandstorm has a global reach, targeting sectors such as aerospace, oil and gas, water, and electric utilities across the Middle East, United States, Europe, and Australia. This article delves into the details of the 2023–2025 campaign, the group’s tactics, the impact on critical infrastructure, and the broader implications for global cybersecurity.

The Campaign: A Two-Year Intrusion

Timeline and Scope

The Lemon Sandstorm campaign, detailed by Fortinet’s FortiGuard Incident Response (FGIR) team, spanned from May 2023 to February 2025, targeting a critical national infrastructure (CNI) entity in the Middle East. The operation involved extensive espionage and network prepositioning, a tactic used to maintain long-term access for strategic advantage. Despite remediation efforts by the victim, the group persistently attempted to regain access, demonstrating their determination and technical prowess. The campaign unfolded in four distinct phases, each marked by evolving tactics and tools tailored to counter the victim’s defenses.

Targeted Sectors

Lemon Sandstorm’s focus on critical infrastructure reflects Iran’s strategic priorities, particularly in the Middle East, where control over energy and water resources is geopolitically significant. The group targeted:

  • Aerospace: Seeking intellectual property and defense-related data.
  • Oil and Gas: Aiming to disrupt energy supply chains and gather intelligence on production capabilities.
  • Water: Targeting systems critical to public health and economic stability.
  • Electric Utilities: Probing for vulnerabilities that could enable disruptive attacks, though no physical disruptions were reported.

The group’s global operations have also hit similar sectors in the U.S., Europe, and Australia, indicating a broad intelligence-gathering agenda.

Lemon Sandstorm: Profile of a State-Sponsored Threat

Background and Affiliations

Lemon Sandstorm, active since at least 2017, is assessed to be a state-sponsored group with ties to Iran’s Islamic Revolutionary Guard Corps (IRGC). Known by multiple aliases, including Rubidium, Parisite, Pioneer Kitten, and UNC757, the group has a history of targeting critical infrastructure and conducting ransomware attacks. In 2024, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) linked Lemon Sandstorm to ransomware operations in collaboration with groups like AlphV, Ransomhouse, and NoEscape, suggesting a dual role in espionage and monetized cybercrime.

Global Track Record

Lemon Sandstorm’s past activities include:

  • 2023 Ransomware Attacks: Deploying ransomware against entities in the U.S., Israel, Azerbaijan, and the UAE, as reported by U.S. cybersecurity agencies.
  • 2020 U.S. Election Interference: The group’s affiliate, Emennet Pasargad (tracked as Cotton Sandstorm), was sanctioned by the U.S. Treasury for attempting to undermine the 2020 presidential election.
  • 2021–2022 U.S. Infrastructure Attacks: A subgroup of Mint Sandstorm, related to Lemon Sandstorm, targeted U.S. seaports, energy companies, and transit systems in retaliation for attacks on Iranian infrastructure.

These incidents highlight Lemon Sandstorm’s operational flexibility and alignment with Iran’s geopolitical objectives, including retaliation against perceived adversaries like Israel and the U.S.

Tactics, Techniques, and Procedures (TTPs)

Lemon Sandstorm’s 2023–2025 campaign showcased a sophisticated and adaptive approach, leveraging both known vulnerabilities and custom tools. The campaign progressed through four stages:

Stage 1: Initial Access (May 2023 – April 2024)

The attackers gained entry by exploiting vulnerabilities in VPN systems, including:

  • Fortinet FortiOS (CVE-2018-13379): Allowed system file downloads.
  • Pulse Secure (CVE-2019-11510): Enabled arbitrary file reading.
  • Palo Alto Networks (CVE-2019-1579): Permitted arbitrary code execution.

Using stolen credentials, the group accessed the victim’s SSL VPN system, deploying web shells on public-facing servers and three backdoors—Havoc, HanifNet, and HXLibrary—for persistent access. The National Security Agency (NSA) and UK’s NCSC had previously warned about state-sponsored actors exploiting these flaws.

Stage 2: Consolidation and Expansion (April 2024 – November 2024)

The attackers deepened their foothold by:

  • Deploying additional web shells, including RecShell and DropShell, for reconnaissance and file uploads.
  • Planting NeoExpressRAT, a backdoor using Discord for command-and-control (C2) communication.
  • Using tools like plink and Ngrok to tunnel deeper into the network.
  • Conducting targeted email exfiltration and lateral movement to virtualization infrastructure.

This phase focused on consolidating access and preparing for data theft.

Stage 3: Advanced Tool Deployment (November 2023 – December 2024)

As the victim implemented countermeasures, Lemon Sandstorm introduced more sophisticated tools:

  • CredInterceptor: A DLL-based tool to harvest credentials from Windows LSASS process memory.
  • RemoteInjector: A loader for executing payloads like Havoc.
  • DarkLoadLibrary: An open-source loader for SystemBC, enhancing C2 capabilities.

The group’s reconnaissance targeted the victim’s Operational Technology (OT) network, indicating an interest in systems adjacent to industrial control systems (ICS).

Stage 4: Persistent Attempts (Post-February 2025)

Even after remediation, Lemon Sandstorm continued efforts to regain access, using updated C2 infrastructure (e.g., apps.gist.githubapp[.]net and gupdate[.]net) previously linked to their operations. This persistence underscores the group’s strategic intent to maintain a foothold for future operations.

Command-and-Control Infrastructure

Lemon Sandstorm’s C2 infrastructure was notably resilient, leveraging chained proxies and cloud services to obscure their activities. The use of Discord for NeoExpressRAT’s C2 communication reflects an innovative approach to blending malicious traffic with legitimate platforms.

Impact on Critical Infrastructure

Operational and Strategic Implications

The Lemon Sandstorm campaign did not result in physical disruptions, such as power outages or water supply interruptions, but its impact was significant:

  • Data Exfiltration: The group stole sensitive emails and potentially other proprietary data, which could be used for intelligence or blackmail.
  • Network Prepositioning: By maintaining persistent access, Lemon Sandstorm positioned itself for future attacks, potentially including destructive malware like wipers, as seen in past Iranian campaigns (e.g., BiBi wiper against Israeli systems).
  • OT Network Reconnaissance: The focus on OT-adjacent systems suggests an intent to map critical infrastructure for potential sabotage, aligning with Iran’s interest in destabilizing regional adversaries.

Economic and Social Risks

Attacks on critical infrastructure, particularly water and energy sectors, pose severe risks. A successful disruption could lead to:

  • Economic Losses: Disrupted oil and gas production could spike global energy prices.
  • Public Health Crises: Compromised water systems could endanger public safety.
  • Geopolitical Tensions: Iran’s targeting of Middle Eastern infrastructure could escalate regional conflicts, especially with Gulf states like Saudi Arabia and the UAE.

The Middle East’s heavy investment in digital transformation, such as Saudi Arabia’s CyberIC program and the UAE’s cybersecurity budget, reflects growing awareness of these risks.

Broader Context: Iran’s Cyber Strategy

Geopolitical Motivations

Lemon Sandstorm’s campaign aligns with Iran’s broader cyber strategy, which emphasizes:

  • Retaliation: The group’s activities intensified following attacks on Iranian infrastructure, such as the 2021 gas station payment system outage, which Iran attributed to Israel and the U.S.
  • Regional Influence: Targeting Middle Eastern infrastructure strengthens Iran’s position against Gulf rivals and Israel.
  • Global Reach: Attacks on U.S. and European targets demonstrate Iran’s ambition to project power beyond its borders.

Collaboration with Other Actors

Lemon Sandstorm’s collaboration with ransomware groups like AlphV indicates a hybrid model blending state-sponsored espionage with cybercrime. This partnership allows Iran to monetize attacks while maintaining plausible deniability. The group’s use of the moniker “xplfinder” on cyber marketplaces further illustrates this dual role.

Comparison with Other Iranian Groups

Lemon Sandstorm shares tactics with other Iranian APTs, such as:

  • Mint Sandstorm (APT35, Charming Kitten): Known for targeting U.S. critical infrastructure and using custom malware like CharmPower.
  • Peach Sandstorm (APT33, Refined Kitten): Conducts password-spraying attacks and deploys backdoors like Tickler against defense and satellite sectors.
  • Cotton Sandstorm (Emennet Pasargad): Focuses on cyber-enabled influence operations, including AI-generated propaganda.

These groups collectively reflect Iran’s multifaceted cyber capabilities, ranging from espionage to influence operations and destructive attacks.

Response and Mitigation

Victim Response

The targeted CNI entity implemented countermeasures, including patching VPN vulnerabilities and restricting OT network access. However, Lemon Sandstorm’s persistent attempts to regain access highlight the challenge of fully eradicating a determined adversary. Fortinet’s involvement underscores the importance of external cybersecurity expertise in incident response.

Government and Industry Actions

The FBI, CISA, and international partners have issued advisories to counter Lemon Sandstorm’s tactics, recommending:

  • Patching Vulnerabilities: Apply updates for CVEs like CVE-2018-13379, CVE-2019-11510, and CVE-2019-1579.
  • Multi-Factor Authentication (MFA): Enforce MFA to mitigate password-spraying and brute-force attacks.
  • Network Segmentation: Isolate OT and IT networks to limit lateral movement.
  • Threat Detection: Monitor for indicators of compromise, such as Lemon Sandstorm’s C2 domains.

The UAE and Saudi Arabia have ramped up cybersecurity investments, with initiatives like Saudi Aramco’s $9 million investment in AI-powered startup SpiderSilk.

Challenges in Remediation

Patching vulnerabilities in critical infrastructure is complex due to:

  • Legacy Systems: Many OT systems run outdated software, making them vulnerable to known exploits.
  • Operational Downtime: Patching requires system restarts, which can disrupt critical services.
  • Resource Constraints: Organizations often lack the budget or expertise for comprehensive cybersecurity.

Implications for Global Cybersecurity

Evolving Threat Landscape

Lemon Sandstorm’s campaign highlights several trends:

  • Custom Malware Proliferation: The group’s eight custom tools demonstrate Iran’s investment in bespoke cyber capabilities.
  • Cloud and Social Media Exploitation: Using Discord and cloud services for C2 reflects a shift toward leveraging legitimate platforms.
  • OT Targeting: Increased focus on OT systems signals a growing risk of physical disruptions.

Policy and Defense Recommendations

To counter such threats, organizations and governments should:

  • Adopt Zero Trust Architecture: Assume networks are compromised and enforce strict access controls.
  • Enhance Threat Intelligence Sharing: Collaborate across borders to track groups like Lemon Sandstorm.
  • Regulate Critical Infrastructure: Mandate cybersecurity standards for sectors like water and energy.
  • Invest in AI Defenses: Use AI to detect anomalies and automate threat response, as seen in Saudi Arabia’s initiatives.

Geopolitical Ramifications

Iran’s cyber operations, including Lemon Sandstorm’s campaign, could escalate tensions with the U.S., Israel, and Gulf states. The group’s prepositioning suggests preparedness for retaliatory strikes, potentially triggered by events like further sanctions or military actions. The Middle East’s role as a cyber battleground underscores the need for diplomatic efforts to establish cyber norms.

Conclusion

Lemon Sandstorm’s 2023–2025 campaign against Middle East critical infrastructure reveals the sophistication and persistence of Iranian state-sponsored cyber actors. By exploiting VPN flaws, deploying custom tools, and targeting sectors like oil, gas, and water, the group has demonstrated its ability to infiltrate and preposition within high-value networks. While no physical disruptions occurred, the campaign’s focus on OT systems and data exfiltration raises concerns about future destructive potential. As Iran continues to refine its cyber capabilities, critical infrastructure operators must prioritize patching, segmentation, and threat detection to mitigate risks. The international community, meanwhile, faces the challenge of countering Iran’s cyber aggression while navigating the complex geopolitics of the Middle East. Lemon Sandstorm’s actions serve as a stark reminder that cybersecurity is now a frontline in global security.

Sources

  • Fortinet, “Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware”
  • CISA, “Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations”
  • Microsoft, “Rinse and Repeat: Iran Accelerates its Cyber Influence Operations Worldwide”
  • Positive Technologies, “Cybersecurity Threatscape in the Middle East: 2023–2024”
  • The Hacker News, “Fortinet Links Iranian APT Lemon Sandstorm to Stealthy Attack”
  • Posts on X, @ALkhammas2, @syedaquib77

Read more