U.S. Agencies Highlight Ongoing Ransomware Attacks by Iranian Hacking Group

August 29, 2024

U.S. cybersecurity and intelligence agencies have issued a warning about the activities of an Iranian hacking group known as Pioneer Kitten, also referred to as Fox Kitten, Lemon Sandstorm, Parisite, and UNC757. The group, which is believed to be linked to the Iranian government, has reportedly breached several organizations across the U.S., coordinating with affiliates to deliver ransomware attacks. The group is also believed to use an Iranian IT company, Danesh Novin Sahand, as a cover for its operations. The agencies involved in the warning include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3).

The group's primary aim appears to be the deployment of ransomware attacks to gain and develop network access. This access then aids malicious actors in collaborating with affiliate actors to continue deploying ransomware. The sectors targeted by these attacks include education, finance, healthcare, and defense, as well as local government entities in the U.S. Intrusions have also been reported in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.) with the intent of stealing sensitive data.

The group's modus operandi involves gaining an initial foothold in victim networks and then collaborating with ransomware affiliate actors associated with NoEscape, RansomHouse, and BlackCat (also known as ALPHV) to deploy file-encrypting malware. The group's nationality and origin are intentionally kept vague. The group, which operates under the online monikers Br0k3r and xplfinder, monetizes their access to victim organizations on underground marketplaces.

Initial access is achieved by exploiting remote external services on internet-facing assets that are vulnerable to previously disclosed flaws (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919). The group then carries out a series of steps to persist, escalate privileges, and set up remote access through tools like AnyDesk or the open-source Ligolo tunneling tool.

The Iranian government's involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The group also offers full domain control privileges, as well as domain admin credentials, to numerous networks worldwide.

The actions of the Iranian cyber actors are part of a larger, ongoing trend of state-sponsored ransomware operations. In December 2020, cybersecurity companies Check Point and ClearSky detailed a Pioneer Kitten hack-and-leak campaign called Pay2Key that targeted dozens of Israeli companies by exploiting known security vulnerabilities.

The group's activities are not limited to ransomware attacks. They also engage in cyber espionage, similar to other dual-purpose hacking outfits like ChamelGang and Moonstone Sleet. These groups operate with both ransomware and cyber espionage motives, demonstrating the flexibility and adaptability of these threat actors.

The recent developments also highlight the activities of another Iranian state-sponsored threat actor, Peach Sandstorm (also known as APT33, Curious Serpens, Elfin, and Refined Kitten), which has been deploying a new custom multi-stage backdoor referred to as Tickler in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the U.S. and U.A.E. between April and July 2024.

Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. The group is believed to be operating on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC).

In addition to these activities, Peach Sandstorm has been leveraging Active Directory (AD) snapshots for malicious administrative actions, Server Message Block (SMB) for lateral movement, and the AnyDesk remote monitoring and management (RMM) software for persistent remote access.

The recent intrusions targeting the defense sector have also deployed another backdoor called FalseFont. Google-owned Mandiant has uncovered a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with its perceived adversaries, including Israel. The activity shares a weak overlap with APT42 and aligns with IRGC's track record of conducting surveillance operations.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.