Categories: CyberCrimeSecurity

Iran Government-Backed Hackers ‘Making Cash From Ransomware’

A hacking gang sponsored by the Iranian government has begun targeting organisations for ransomware operations in an apparent money-making activity separate from its usual cyber-espionage attacks, US authorities said.

The group, known by names including Pioneer Kitten, Fox Kitten, UNC757, Parisite, Rubidium and Lemon Sandstorm, has carried out a “high volume” of attacks dating back to 2017, said the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense Cyber Crime Center (DC3) in a joint advisory.

Countries targeted include the US, Israel, Azerbaijan and the United Arab Emirates, with targets in the education, finance, healthcare, defence and local government sectors.

While the group has been found carrying out information-theft attacks on targets in Israel and Azerbaijan, a “significant percentage” of its activity is devoted to the separate activity of obtaining network access for future ransomware attacks, the agencies said.

Collaboration

“FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship,” the advisory said.

The group offers its criminal affiliates full domain control privileges and domain administrator credentials to numerous networks worldwide, and collaborates directly with ransomware gangs on attacks in exchange for a percentage of the ransom, the agencies said.

The ransomware gangs Pioneer Kitten has worked with include NoEscape, Ransomhouse and the now-defunct AlphV, also known as BlackCat.

“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims,” the advisory said.

The FBI found the Pioneer Kitten hackers did not disclose their Iran-based location to those they were collaborating with and remained vague about their nationality and origin.

Cyber-espionage

The same group has also carried out hack-and-leak campaigns, such as one in 2020, known as Pay2Key, that targeted Israel-based organisations.

The Pay2Key campaign involved publishing compromised data on a .onion site, a technique often used to encourage ransomware payments.

But the FBI said it believes the campaign was primarily “an information operation aimed at undermining the security of Israel-based cyber infrastructure”.

The group uses the Iranian company name Danesh Novin Sahand as cover for its cyber-attacks, the FBI said.

As in the past, the group commonly targets known exploits in VPNs and other exposed infrastructure, the FBI said.

An advisory by Tenable found that two of the flaws targeted by Fox Kitten, CVE-2019-19781 and CVE-2022-1388, had only been patched on about half of the affected systems, leaving “tens of thousands of potentially vulnerable devices”.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

9 hours ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

9 hours ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

10 hours ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

10 hours ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

11 hours ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

11 hours ago