concept w - stock.adobe.com

Iranian APT caught acting as access broker for ransomware crews

Members of Iran-backed Pioneer Kitten APT appear to be trying to supplement their pay packets by helping Russian-speaking ransomware gangs to access their victims in exchange for a cut of the profits

Hackers sponsored by the Iranian government are acting as go-betweens and initial access brokers to target environments on behalf of financially motivated ransomware gangs, including big names such as ALPHV/BlackCat, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.

In an advisory published this week, CISA and its law enforcement partners, including the FBI, revealed that the Iranian advanced persistent threat (APT) group tracked variously as Pioneer Kitten, UNC757, Parisite, Rubidium and Lemon Sandstorm has been conducting malicious cyber operations aimed at deploying ransomware attacks to obtain, maintain and develop network access.

“These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware,” the CISA said.

“This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against US organisations since 2017 and as recently as August 2024. Compromised organisations include US-based schools, municipal governments, financial institutions and healthcare facilities.”

The FBI had previously observed the group attempting to monetise their access to victim organisations on underground markets, and now assesses that a “significant percentage” of its activity – at least in the US – is focused on selling this access on to Russian-speaking cyber crime gangs.

But there is now evidence that this relationship seems to run even deeper. Indeed, the Feds now believe Pioneer Kitten has been “collaborating directly” with ransomware affiliates to receive a cut of the ransom payments in exchange for their assistance.

“These actors have collaborated with the ransomware affiliates NoEscape, RansomHouse, and ALPHV (aka BlackCat),” said the CISA.

“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategise on approaches to extort victims.

“The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.”

US alert to increased Iranian threat

The new warning from the Cybersecurity and Infrastructure Security Agency and other authorities is the latest in a string of alerts and allegations made by the US in regard to malicious Iranian cyber activity. Tehran is already in the frame for a hack on the campaign of Republican presidential candidate Donald Trump, and its advanced persistent threats (APTs) are likely gearing up to conduct further influence operations aimed at undermining the November 2024 election.

Meanwhile, earlier this week, Microsoft highlighted the activities of Peach Sandstorm, an Iranian APT that is using a novel, customised, multi-stage backdoor malware dubbed Tickler against targets in the satellite, communications, oil and gas, and government sectors, and in a separate report, Google Cloud’s Mandiant warned that Iran appears to have created a network of social media accounts and fake websites that are being used to target its own people, including members of the worldwide Iranian diaspora who left the country in great numbers following the 1979 revolution. 

Thwarting the Kitten

A Pioneer Kitten-enabled ransomware attack generally seems to begin with the exploitation of remote external services on internet-facing assets.

In recent weeks, the gang has been observed using Shodan to identify IP addresses hosting Check Point Security Gateways vulnerable to CVE-2024-24919, but it is also known to have exploited CVE-2024-3400 in Palo Alto Networks PAN-OS and GlobalProtect VPN, as well as older vulnerabilities in Citrix and F5 BIG-IP. Addressing these issues should be priority number one for security teams in at-risk organisations.

Once beyond this first hurdle, the group’s modus operandi is in most regards a fairly standard one – it seeks to further its goals by capturing login credentials on Netscaler devices via a deployed webshell, elevates its privileges by hijacking or creating new accounts, often with exemptions to zero-trust policies, places backdoors to load malware, and tries to disable antivirus software and lower security settings. It also sets up a daily Windows service task for persistence as mitigation occurs.

When it comes to command and control, Pioneer Kitten is known to use the AnyDesk remote access programme and to enable servers to use Windows PowerShell Web Access. It also favours Ligolo, an open source tunnelling tool, and NGROK to create outbound connections.

The full CISA advisory contains more technical details on its attack chain.

Has Pioneer Kitten gone rogue?

Interestingly, the US authorities also said Pioneer Kitten’s ransomware activities may not be officially sanctioned by Tehran, and the group’s members themselves – who use the Iranian company name Danesh Novin Sahand as a cover IT company – have occasionally expressed concern that the Iranian government may be monitoring their money-laundering activities.

Pioneer Kitten’s official remit, said CISA, appears to be to conduct hack-and-leak campaigns, stealing data and publicising it, not to make money, but to undermine their victims as part of Iranian information operations. This activity seems to have been largely focused on victims in Israel and other regional powers of interest to Iran, including Azerbaijan and the United Arab Emirates.

Read more about Iranian threat activity

  • Israel’s cyber chief has called for international action against Iran over state-backed hacking.
  • Threat actors from China, Iran, North Korea and Russia have all been probing use cases for generative AI service ChatGPT, but have yet to use such tools in a full-blown cyber attack.
  • Microsoft has shared new intelligence on how Iranian government-aligned threat actors have turned their fire on Israel since the 7 October attacks.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close