U.S. cybersecurity and intelligence agencies have accused an Iranian hacking group of infiltrating multiple organizations nationwide and collaborating with affiliates to launch ransomware attacks.
This activity has been attributed to a threat group known as Pioneer Kitten, also referred to as Fox Kitten, Lemon Sandstorm (previously Rubidium), Parisite, and UNC757. The group is believed to be connected to the Iranian government, using an Iranian IT company, Danesh Novin Sahand, likely as a front.
According to the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3), “Their cyber operations focus on deploying ransomware to gain and establish network access. These operations enable the group to collaborate with affiliate actors to continue deploying ransomware.”
The targets include sectors such as education, finance, healthcare, and defense, along with local government entities in the U.S. Similar intrusions have also been reported in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.), aimed at stealing sensitive data.
The agencies believe the team’s objective is to establish initial access to victim networks and then work with ransomware affiliates linked to NoEscape, RansomHouse, and BlackCat (also known as ALPHV) to deploy file-encrypting malware in exchange for a share of the illegal profits, while deliberately keeping their nationality and origin ambiguous.
These attack attempts reportedly began as early as 2017 and have continued through this month. The threat actors, also known by the online aliases Br0k3r and xplfinder, have been found to sell their access to victim organizations on underground marketplaces, highlighting their efforts to diversify revenue streams.
A Substantial Section of the team’s U.S.-focused cyber activities is dedicated to obtaining and maintaining technical access to victim networks, facilitating future ransomware attacks. The actors offer full domain control rights, including domain admin credentials, to multiple networks worldwide.
The Iranian cyber actors’ involvement in these ransomware campaigns extends beyond providing access; they closely collaborate with ransomware affiliates to lock down victim networks and strategize extortion tactics.
Initial access is typically achieved by exploiting remote external services on internet-facing assets vulnerable to known flaws (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by steps to maintain persistence, escalate privileges, and establish remote access through tools like AnyDesk or the open-source Ligolo tunneling tool.