An Iranian state-sponsored threat group, linked to the known actor Lemon Sandstorm, has been engaged in a cyber attack against critical national infrastructure in the Middle East. This operation, spanning from May 2023 to February 2025, involved extensive espionage and strategic network prepositioning. The attackers exploited VPN security vulnerabilities to gain access and employed a range of tactics to maintain long-term access. Notably, this group has targeted various sectors including aerospace and energy across multiple continents, demonstrating significant capabilities and persistent threats to global cyber infrastructure.
"The attack displayed extensive espionage operations and suspected network prepositioning, a common strategy for maintaining persistent access for future strategic advantage."
"Active since at least 2017, this Iranian group has targeted sectors across the globe, leveraging known VPN security flaws for initial access to networks."
Collection
[
|
...
]