Report: Advanced Cyberattacks Hit Middle East Critical Infrastructure Over Two Years
FortiGuard Labs Uncovers Advanced Espionage Campaign Targeting IT/OT Systems
73% of OT Firms Targeted as Cyberattacks Escalate Across Critical Sectors
TheFortiGuard Labs’ Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East.
The intrusion, attributed to a state-sponsored threat actor, involved sustained espionage operations and suspected network prepositioning. Over the course of nearly two years, the threat actor deployed novel malware, bypassed network segmentation, and made repeated attempts to maintain access across segmented IT and OT environments.
Advanced Malware and Persistent Access
The multi-phase intrusion detailed by FGIR spanned from 2023 to early 2025. The attacker initially gained entry using compromised VPN credentials, then established footholds using multiple custom backdoors including HanifNet, HXLibrary, and NeoExpressRAT. They bypassed segmentation using proxy tools such as Ngrok, ReverseSocks5, and plink, and targeted virtualization infrastructure to deepen access.
While no confirmed disruption to OT systems was observed, the report notes significant reconnaissance activity in restricted environments — emphasizing the need for heightened defense across converged IT/OT networks.
The operation unfolded across four stages: initial compromise, consolidation of access, adversary response to containment, and attempted re-entry via exploitation of third-party software and phishing attacks. Even after being removed from the network, the threat actor made repeated efforts to re-establish access — signalling a long-term strategic objective.
OT Security Faces Escalating Threats
According to Fortinet’s 2024 State of Operational Technology and Cybersecurity Report, 73% of OT organizations globally have now experienced cyber intrusions — up from 49% in 2023 — with targeted OT-only attacks also rising from 17% to 24%.
This trend mirrors the patterns observed in the latest investigation, where state-linked actors deployed advanced malware, evaded detection, and used phishing and software exploitation to reestablish access after remediation efforts. For this reason, we are seeing responsibility for OT cybersecurity increasingly shifting to the CISO, CIO, and COO, with 60% of organizations reporting executive-level oversight.
Regional Threat Activity on the Rise
Fortinet’s 2025 Global Threat Landscape Report also confirms that state-sponsored groups remain highly active, targeting government, technology, and education sectors. Interestingly, over 60% of hacktivist campaigns globally were linked to geopolitical causes. The Middle East also remains a high-risk region for cyber activity, with the EMEA region accounting for 26% of recorded global exploitation attempts.
Defensive Recommendations
To defend against such persistent and well-resourced adversaries, the FortiGuard team recommends that organizations prioritize the following defensive measures:
- Enforcing multi-factor authentication (MFA) and regular credential rotation
- Deploying zero-trust architecture and network segmentation
- Implementing endpoint detection and response (EDR) and behavioural analytics
- Conducting regular penetration testing and incident response readiness exercises
This investigation highlights the persistent and evolving nature of state-backed cyber threats targeting Middle Eastern CNIs, and a growing need for continuous monitoring, adaptive defense strategies, and coordinated threat intelligence to protect critical infrastructure in the face of sophisticated cyber threats.
