Iranian Espionage Group Providing Network Access to Ransomware Groups
An Iranian hacking group has been collaborating with ransomware groups to extort organizations in the defense, education, finance, and healthcare sectors. The Pioneer Kitten group (aka Fox Kitten, Parisite, Rubidium, and Lemon Sandstorm) has been active since at least 2017 and is believed to be connected to the Iranian government.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) have issued a joint cybersecurity advisory about the group that shares the tactics, techniques, and procedures (TTPs), Indicators of Compromise (IoCs), and recommended mitigations for hardening defenses.
Pioneer Kitten has conducted a high number of computer network intrusions in the United States, with its most recent activity identified in August 2024. The group breaches defenses to gain access to organizations’ networks and then monetizes access, historically by selling domain admin credentials and full domain control privileges on cyber marketplaces and recently by working with affiliates of ransomware-as-a-service (RaaS) groups, including ALPHV/BlackCat, NoEscape, and Ransomhouse.
In recent campaigns, rather than selling access to compromised networks, Pioneer Kitten collaborates with RaaS groups to allow them to steal data, encrypt files, and extort victims, then takes a percentage of any ransom payments generated. Pioneer Kitten actors communicate using the monikers Br0k3r and xplfinder and do not disclose their nationality to the cybercriminal groups they work with. The group also uses the company name Danesh Novin Sahand, an Iranian IT company, likely as cover for its malicious cyber activities.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Historically, the group has conducted hack and data leak campaigns and while the group demands ransom payments, the FBI does not believe that the attacks are always financially motivated. For example, one hack and leak campaign in late 2020 – dubbed PayKey – is thought to have been conducted to undermine the security of Israel-based cyber infrastructure. While the attacks may end with file encryption, the group is thought to be primarily concerned with espionage and steals sensitive information to pass on to the Iranian government. The group’s ransomware activities are not thought to have been sanctioned by the Iranian government.
Pioneer Kitten has been observed using the Shodan search engine to identify and enumerate IP addresses that host devices with known vulnerabilities, then attempts to exploit those vulnerabilities for initial access. Vulnerabilities previously targeted by the group include the Citrix Netscaler vulnerabilities CVS_2019-19781 and CVE-2023-3519, the BIG-IP F5 vulnerability CVE-2022-1388, the Pulse Secure/Ivanti VPN vulnerability CVE-2024-21887, and the Palo Alto Networks PAN-OS and GlobalProtect VPN vulnerability CVE-2024-3400. The group installs remote access programs such as AnyDesk, enables servers to use Windows PowerShell Web Access, uses the open source tunneling tool Ligolo, and NGROK to create outbound connections to a random subdomain.
The cybersecurity advisory includes IP addresses associated with the group and all organizations have been advised to review logs for those IP addresses. Organizations should ensure the vulnerabilities known to be targeted by the group are patched, systems should be checked for the unique identifiers and TTPs associated with the group, and also outbound web requests to files.catbox[.]moe and ***.ngrok[.]io. Organizations should also test and validate their security controls against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the advisory.
