Iran Government-Backed Hackers ‘Making Cash From Ransomware’

A hacking gang sponsored by the Iranian government has begun targeting organisations for ransomware operations in an apparent money-making activity separate from its usual cyber-espionage attacks, US authorities said.

The group, known by names including Pioneer Kitten, Fox Kitten, UNC757, Parisite, Rubidium and Lemon Sandstorm, has carried out a “high volume” of attacks dating back to 2017, said the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense Cyber Crime Center (DC3) in a joint advisory.

Countries targeted include the US, Israel, Azerbaijan and the United Arab Emirates, with targets in the education, finance, healthcare, defence and local government sectors.

While the group has been found carrying out information-theft attacks on targets in Israel and Azerbaijan, a “significant percentage” of its activity is devoted to the separate activity of obtaining network access for future ransomware attacks, the agencies said.

Collaboration

“FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship,” the advisory said.

The group offers its criminal affiliates full domain control privileges and domain administrator credentials to numerous networks worldwide, and collaborates directly with ransomware gangs on attacks in exchange for a percentage of the ransom, the agencies said.

The ransomware gangs Pioneer Kitten has worked with include NoEscape, Ransomhouse and the now-defunct AlphV, also known as BlackCat.

“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims,” the advisory said.

The FBI found the Pioneer Kitten hackers did not disclose their Iran-based location to those they were collaborating with and remained vague about their nationality and origin.

Cyber-espionage

The same group has also carried out hack-and-leak campaigns, such as one in 2020, known as Pay2Key, that targeted Israel-based organisations.

The Pay2Key campaign involved publishing compromised data on a .onion site, a technique often used to encourage ransomware payments.

But the FBI said it believes the campaign was primarily “an information operation aimed at undermining the security of Israel-based cyber infrastructure”.

The group uses the Iranian company name Danesh Novin Sahand as cover for its cyber-attacks, the FBI said.

As in the past, the group commonly targets known exploits in VPNs and other exposed infrastructure, the FBI said.

An advisory by Tenable found that two of the flaws targeted by Fox Kitten, CVE-2019-19781 and CVE-2022-1388, had only been patched on about half of the affected systems, leaving “tens of thousands of potentially vulnerable devices”.