U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware.
The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to the government of Iran and uses an Iranian information technology (IT) company, Danesh Novin Sahand, likely as a cover.
"Their malicious cyber operations are aimed at deploying ransomware attacks to obtain and develop network access," the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) said. "These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware."
Targets of the attacks include education, finance, healthcare, and defense sectors, as well as local government entities in the U.S., with intrusions also reported in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.) to pilfer sensitive data.
The goal, the agencies assessed, is to gain an initial foothold to victim networks and subsequently collaborate with ransomware affiliate actors associated with NoEscape, RansomHouse, and BlackCat (aka ALPHV) to deploy file-encrypting malware in exchange for a cut of the illicit proceeds, while keeping their nationality and origin "intentionally vague."
The attack attempts are believed to have commenced as early as 2017 and are ongoing as recently as this month. The threat actors, who also go by the online monikers Br0k3r and xplfinder, have been found to monetize their access to victim organizations on underground marketplaces, underscoring attempts to diversify their revenue streams.
"A significant percentage of the group's U.S.-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks," the agencies noted. "The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide."
"The Iranian cyber actors' involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims."
Initial access is accomplished by taking advantage of remote external services on internet-facing assets that are vulnerable to previously disclosed flaws (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by a series of steps to persist, escalate privileges, and set up remote access through tools like AnyDesk or the open-source Ligolo tunneling tool.
Iranian state-sponsored ransomware operations are not a new phenomenon. In December 2020, cybersecurity companies Check Point and ClearSky detailed a Pioneer Kitten hack-and-leak campaign called Pay2Key that specifically singled out dozens of Israeli companies by exploiting known security vulnerabilities.
"The ransom itself ranged between seven and nine Bitcoin (with a few cases in which the attacker was negotiated down to three Bitcoin)," ClearSky noted at the time. "To pressure victims into paying, Pay2Key's leak site displays sensitive information stolen from the target organizations and makes threats of further leaks if the victims continue to delay payments."
Some of the ransomware attacks are also said to have been conducted through an Iranian contracting company named Emennet Pasargad, according to documents leaked by Lab Dookhtegan in early 2021.
The disclosure paints the picture of a flexible group that operates with both ransomware and cyber espionage motives, joining other dual-purpose hacking outfits like ChamelGang and Moonstone Sleet.
Peach Sandstorm Delivers Tickler Malware in Long-Running Campaign
The development comes as Microsoft said it observed Iranian state-sponsored threat actor Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) deploying a new custom multi-stage backdoor referred to as Tickler in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the U.S. and U.A.E. between April and July 2024.
"Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection," the Microsoft Threat Intelligence team said, adding it detected intelligence gathering and possible social engineering targeting higher education, satellite, and defense sectors via LinkedIn.
These efforts on the professional networking platform, which date back to at least November 2021 and have continued into mid-2024, materialized in the form of phony profiles masquerading as students, developers, and talent acquisition managers supposedly based in the U.S. and Western Europe.
The password spray attacks serve as a conduit for the Tickler custom multi-stage backdoor, which comes with capabilities to download additional payloads from an adversary-controlled Microsoft Azure infrastructure, perform file operations, and gather system information.
Some of the attacks are notable for leveraging Active Directory (AD) snapshots for malicious administrative actions, Server Message Block (SMB) for lateral movement, and the AnyDesk remote monitoring and management (RMM) software for persistent remote access.
"The convenience and utility of a tool like AnyDesk is amplified by the fact that it might be permitted by application controls in environments where it is used legitimately by IT support personnel or system administrators," Microsoft said.
Peach Sandstorm is assessed to be operating on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC). It's known to be active for over a decade, carrying out espionage attacks against a diverse array of public and private sector targets globally. Recent intrusions targeting the defense sector have also deployed another backdoor called FalseFont.
Iranian Counterintelligence Operation Uses HR Lures to Harvest Intel
In what's evidence of ever-expanding Iranian operations in cyberspace, Google-owned Mandiant said it uncovered a suspected Iran-nexus counterintelligence effort that's aimed at collecting data on Iranians and domestic threats who may be collaborating with its perceived adversaries, including Israel.
"The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations," Mandiant researchers Ofir Rozmann, Asli Koksal, and Sarah Bock said. "These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran."
The activity, the company said, shares "weak overlap" with APT42 and aligns with IRGC's track record of conducting surveillance operations against domestic threats and individuals of interest to the Iranian government. The campaign has been active since 2022.
The attack lifecycle's backbone is a network of over 40 fake recruitment websites that impersonate Israeli human resources firms that are then disseminated via social media channels like X and Virasty to trick prospective victims into sharing their personal information (i.e., name, birth date, email, home address, education, and professional experience).
These decoy websites, posing as Optima HR and Kandovan HR, state their alleged purpose is to "recruit employees and officers of Iran's intelligence and security organizations" and have Telegram handles that reference Israel (IL) in their handles (e.g., PhantomIL13 and getDmIL) to give the impression that they are affiliated with the country.
Mandiant said further analysis of the Optima HR websites led to the discovery of a previous cluster of fake recruitment websites that targeted Farsi and Arabic speakers affiliated with Syria and Lebanon (Hezbollah) under a different HR firm named VIP Human Solutions between 2018 and 2022.
"The campaign casts a wide net by operating across multiple social media platforms to disseminate its network of fake HR websites in an attempt to expose Farsi-speaking individuals who may be working with intelligence and security agencies and are thus perceived as a threat to Iran's regime," Mandiant said.