U.S. national security and intelligence bureaus have raised an alarm about an Iranian hacking syndicate that is currently carrying out ransomware assaults on various entities nationwide.
The operations have been attributed to Pioneer Kitten, a threat actor also recognized as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, believed to have ties with the Iranian government and utilizing an Iranian IT firm, Danesh Novin Sahand, as a potential facade.
“Their nefarious cyber campaigns are designed to launch ransomware strikes for the purpose of gaining and enhancing network access,” as per statements from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) revealed. “These campaigns assist malicious cyber criminals in further collaborating with partner actors to persist in carrying out ransomware assaults.”
The assault targets encompass educational, financial, healthcare, and military industries, along with local governmental bodies in the U.S., with additional breaches reported in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.) to steal confidential data.
The prime objective, according to the agencies’ evaluation, is to establish an initial hold on victim networks and subsequently join forces with ransomware partner actors linked with NoEscape, RansomHouse, and BlackCat (aka ALPHV) to execute data encryption malware in return for a share of the illegal profits, while keeping their nationality and origin details deliberately ambiguous.
The offensive maneuvers are believed to have commenced as early as 2017 and persist till date. The perpetrators, also known by aliases Br0k3r and xplfinder in online circles, have been identified profiting from their infiltration of victim organizations on hidden markets, indicating efforts to broaden their revenue streams.
“A substantial portion of the group’s cyber activities focused on the U.S. involves gaining and maintaining technical control over victim networks to facilitate future ransomware attacks,” highlighted the agencies. “The attackers offer complete control over domains, along with administrator credentials, to multiple networks worldwide.”
“The involvement of Iranian cyber criminals in these ransomware attacks surpasses mere access provision; they actively collaborate with ransomware allies to encrypt victim networks and devise strategies to extort victims.”
The initial infiltration is achieved by exploiting remote external services on internet-exposed assets susceptible to previously disclosed vulnerabilities (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by a sequence of actions to persist, boost privileges, and establish remote connectivity using tools like AnyDesk or the open-source Ligolo tunneling software.
State-sponsored Iranian ransomware undertakings are not a recent development. In December 2020, cybersecurity firms Check Point and ClearSky outlined a Pioneer Kitten hacking and data leakage crusade termed Pay2Key that specifically targeted numerous Israeli companies by exploiting well-known security loopholes.
“The ransom demands ranged from seven to nine Bitcoin (with some cases involving negotiation down to three Bitcoin),” the organization stated. “To coerce victims into payment, the Pay2Key leak portal exhibits sensitive information stolen from the targeted entities and issues threats of additional disclosures if payments are further delayed.”
Several ransomware attacks are also believed to have been orchestrated through an Iranian subcontracting firm named Emennet Pasargad, as per documents leaked by Lab Dookhtegan in early 2021.
This revelation underscores the operations of a versatile unit that operates with combined motives of ransomware and cyber spying, aligning with other multifaceted hacking groups like ChamelGang and Moonstone Sleet.
Peach Sandstorm Deploys Tickler Malware in Long-Lasting Campaign
This development coincides with Microsoft’s announcement of observing an Iranian state-supported threat actorPeach Sandstorm, also known as APT33, Curious Serpens, Elfin, and Refined Kitten, has introduced a fresh custom multi-stage backdoor named Tickler in operations targeting sectors such as satellite, communications equipment, oil and gas, as well as federal and state government industries in the U.S. and U.A.E. from April to July 2024.
There were ongoing efforts by “Peach Sandstorm” to carry out password spray assaults on the educational sector for infrastructure acquisition and on the satellite, government, and defense sectors to gather intelligence, as mentioned by the technology giant stated. Microsoft identified intelligence-gathering and potential social engineering activities focusing on higher education, satellite, and defense sectors through LinkedIn.
Activities on LinkedIn, which began in November 2021 and persisted until mid-2024, manifested in fabricated profiles posing as students, developers, and talent acquisition managers purportedly situated in the U.S. and Western Europe.
The password spray strikes act as a channel for the Tickler custom multi-stage backdoor, which has the capacity to fetch additional payloads from a hostile-controlled Microsoft Azure infrastructure, conduct file manipulations, and amass system data.
Several attacks are notable for using Active Directory (AD) snapshots for malevolent administrative activities, Server Message Block (SMB) for lateral motion, and the AnyDesk remote monitoring and management (RMM) software for sustained remote entry.
“The convenience and effectiveness of a utility like AnyDesk are heightened by the fact that it may be sanctioned by application directives in environments where it is appropriately used by IT support staff or system administrators,” according to Microsoft.
Peach Sandstorm is believed to be conducting operations on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC). It has been active for more than a decade, carrying out surveillance attacks against various public and private sector entities globally. Recent intrusions in the defense sector also featured another backdoor known as FalseFont.
Iranian Counterintelligence Operation Utilizes HR Tactics to Gather Intel
In a sign of expanding Iranian cyber activities, Google-owned Mandiant revealed a suspected Iranian-linked counterintelligence operation focused on gathering information about Iranians and internal threats who may be cooperating with its perceived foes, including Israel.
“The harvested data could be utilized to unearth human intelligence (HUMINT) operations directed against Iran and to pursue any Iranians suspected of participating in these operations,” noted Mandiant researchers Ofir Rozmann, Asli Koksal, and Sarah Bock stated. “These individuals may include Iranian dissidents, activists, human rights advocates, and Farsi speakers residing inside and outside Iran.”
The operation, according to the firm, demonstrates a “tenuous connection” with APT42 and aligns with the IRGC’s history of conducting surveillance activities against internal threats and persons of concern to the Iranian authorities. This initiative has been active since 2022.
The foundation of the attack scheme is a network of more than 40 counterfeit recruitment sites mimicking Israeli human resource companies that are then distributed through social media channels. These are designed to deceive potential targets into divulging personal data such as their identification, birthdate, email, address, education, and professional background.
These dummy websites, representing themselves as Optima HR and Kandovan HR, claim to be aimed at “recruiting staff and officers for Iran’s intelligence and security organizations” and feature Telegram accounts referencing Israel (IL) in their handles (e.g., PhantomIL13 and getDmIL).
Further investigation by Mandiant revealed a prior cluster of counterfeit recruitment sites that targeted Farsi and Arabic speakers linked to Syria and Lebanon (Hezbollah) under a different HR consultancy named VIP Human Solutions between 2018 and 2022.
“The campaign encompasses a wide audience by operating across various social media platforms for disseminating its array of false HR sites in an effort to uncover Farsi-speaking individuals who might be associated with intelligence and security agencies and are perceived as threats to Iran’s governance,” according to Mandiant.
About Author
