Iranian APT 'Lemon Sandstorm' Targets Middle East Critical Infrastructure

The Iranian state-backed advanced persistent threat (APT) group known as Lemon Sandstorm (linked to Fox Kitten/UNC757) conducted a multi-year cyber campaign against a Middle Eastern critical national infrastructure (CNI) provider, according to research by Fortinet and ENISA^1,2. The group compromised IT systems but failed to breach operational technology (OT) networks due to segmentation defenses.

Attack Timeline and Techniques

Lemon Sandstorm maintained persistence from May 2023 to February 2025, exploiting VPN vulnerabilities and deploying custom malware like HanifNet and NeoExpressRAT¹. The attackers used web shells for lateral movement but were blocked from OT systems by network segmentation. This aligns with broader trends: 34% of Middle East cyberattacks target CNI, per Positive Technologies³.

Indicator	Details
Primary TTPs	VPN exploits, Farsi-language artifacts, off-hours activity
Defensive Gap	Unpatched Exchange servers, lack of multi-factor authentication (MFA)

Regional Cybersecurity Context

The Middle East faces parallel threats from Chinese (Volt Typhoon) and Russian APTs, with ENISA warning of rising state-sponsored CNI attacks². Financial infrastructure is particularly vulnerable: MENA has the highest bank concentration (68%) among developing regions, and 33% of credit goes to state-owned enterprises⁴.

Mitigation Strategies

Fortinet recommends¹:

Patch VPN and Exchange servers immediately
Enforce MFA for all remote access
Monitor for Farsi-language command artifacts

World Bank data suggests blockchain adoption could reduce risks in financial systems with high non-performing loans (11.5% in MENA vs. 2.8% in East Asia)⁵.

Conclusion

The Lemon Sandstorm campaign demonstrates the need for OT/IT segmentation and threat intelligence sharing. Middle Eastern CNI providers should prioritize Zero Trust frameworks and regional cooperation modeled after ENISA standards².