U.S. Authorities Alert About Ongoing Ransomware Attacks by Iranian Hacking Group
Several U.S. cybersecurity and intelligence organizations have raised concerns regarding a persistent series of ransomware assaults orchestrated by an Iranian cybercrime faction targeting various entities throughout the nation.
The breach has been attributed to a group codenamed Pioneer Kitten, also recognized under aliases such as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, believed to have affiliations with the Iranian government, leveraging an Iranian IT firm, Danesh Novin Sahand, presumably as a front.
“Their destructive cyber maneuvers are designed to execute ransomware attacks for the purpose of gaining and enhancing network access,” stated the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Defense Cyber Crime Center (DC3) announced. “These operations facilitate malicious cyber criminals to further collaborate with affiliated actors for the continued propagation of ransomware.”
The targeted sectors include education, finance, healthcare, defense, and local government bodies within the U.S., with breaches also discovered in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.), to illicitly acquire confidential data.
The concerted effort is believed to be establishing initial access into victim networks and teaming up with ransomware affiliate entities linked with NoEscape, RansomHouse, and BlackCat (aka ALPHV) to execute encryption-based malware in exchange for a portion of the illegal gains, while keeping their national identity and origin “deliberately ambiguous.”
The assault attempts are estimated to have commenced as early as 2017 and are ongoing as recently as the current month. The hackers, who are also recognized by the online aliases Br0k3r and xplfinder, have been identified monetizing their entry to victimized organizations on clandestine marketplaces, underscoring efforts to diversify their income streams.
“A sizable portion of the group’s cyber activities centered on the U.S. aims at acquiring and maintaining technical entry to victim networks to facilitate future ransomware incidents,” the authorities highlighted. “The offenders offer total domain jurisdiction rights as well as domain admin credentials to multiple networks globally.”
“The participation of Iranian cyber criminals in these ransomware attacks goes beyond providing access; they closely collaborate with ransomware affiliates to encrypt victim networks and devise tactics to coerce victims.”
The initial access is established by exploiting remote external services on internet-facing assets vulnerable to previously disclosed vulnerabilities (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by a sequence of actions to persist, elevate privileges, and establish remote access through tools like AnyDesk or the open-source Ligolo tunneling tool.
Iranian regime-sponsored ransomware endeavors are not a recent event. In December 2020, cybersecurity firms Check Point and ClearSky elaborated on a Pioneer Kitten infect-and-disclose campaign dubbed Pay2Key that specifically singled out numerous Israeli entities by leveraging identified security loopholes.
“The ransom amount varied between seven and nine Bitcoin (with a few cases where negotiation reduced it to three Bitcoin),” the firm highlighted during that period. “To compel victims to comply, Pay2Key’s disclosure site showcases pilfered sensitive information from the targeted organizations and issues threats of further disclosures if the victims procrastinate payments.”
Some of these ransomware assaults are believed to have been executed through an Iranian contracting firm named Emennet Pasargad, as per documents leaked by Lab Dookhtegan in early 2021.
The revelation sheds light on a versatile faction that operates with intentions of both ransomware assaults and cyber surveillance, aligning with other hybrid hacking groups like ChamelGang and Moonstone Sleet.
Peach Sandstorm Unleashes Tickler Malware in a Prolonged Offensive
These developments coincide with Microsoft’s observation of an Iranian state-sponsored threat actorPeach Sandstorm (also known as APT33, Curious Serpens, Elfin, and Refined Kitten) has implemented a fresh custom multi-stage spyware named Tickler in their assaults on entities in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the U.S. and U.A.E.
“Peach Sandstorm has also been carrying out password spray attacks against the educational sector to acquire infrastructure and against the satellite, government, and defense sectors as main subjects for intelligence gathering,” as stated by the technology giant in a report. They also identified intelligence gathering and potential social engineering focusing on higher education, satellite, and defense sectors via LinkedIn.
On the professional networking site, these undertakings, observed since November 2021 and extending into mid-2024, were carried out through fabricated profiles pretending to be students, developers, and hiring managers situated in the U.S. and Western Europe.
The password spray assaults function as a path for the Tickler custom multi-stage spyware, equipped with features to fetch additional payloads from Microsoft Azure platform controlled by adversaries, handle files, and collect system details.
Several of the attacks have stood out for utilizing Active Directory (AD) snapshots for malevolent administrative activities, Server Message Block (SMB) for lateral movements, and the AnyDesk remote monitoring and management (RMM) program for permanent remote entry.
“The usefulness of a tool like AnyDesk is enhanced by the fact that it could be authorized by application controls in environments where it is legitimately utilized by IT support staff or system administrators,” mentioned Microsoft.
The origins of Peach Sandstorm go back to the Iranian Islamic Revolutionary Guard Corps (IRGC). For over a decade, they have conducted espionage attacks against various public and private sector entities worldwide. Recent intrusions targeting the defense sector have introduced another spyware known as FalseFont.
Iranian Counterintelligence Operation Utilizes HR Tactics to Obtain Intel
Highlighting the expanding activities of Iran in cyberspace, Mandiant, a subsidiary of Google, uncovered a suspected counterintelligence operation with an Iran link that aims at collecting data on Iranians and internal threats who could be cooperating with its perceived enemies, notably Israel.
“The collected data could be used to identify human intelligence (HUMINT) actions conducted against Iran and prosecute Iranians suspected to be part of these actions,” as mentioned by Mandiant researchers Ofir Rozmann, Asli Koksal, and Sarah Bock in a recent publication. “These individuals might include Iranian dissidents, activists, human rights advocates, and Farsi speakers residing inside and outside Iran.”
This operational activity, according to the company, shows some overlap with APT42 and is consistent with IRGC’s history of surveillance operations against domestic threats and individuals of interest to the Iranian government, running since 2022.
The framework of the attack relies on a network of more than 40 counterfeit recruitment websites impersonating Israeli HR companies, distributed through platforms like X and Virasty on social media to deceive potential victims into disclosing personal details such as their name, birthdate, email, home address, educational background, and professional experience.
These bogus websites, portraying themselves as Optima HR and Kandovan HR, claim to recruit individuals for intelligence and security roles in Iran and have Telegram handles incorporating Israel (IL) (e.g., PhantomIL13 and getDmIL).
Mandiant also stated that further probe into the Optima HR websites led to the identification of a previous set of fabricated recruitment platforms aimed at Farsi and Arabic speakers linked to Syria and Lebanon (Hezbollah) via another HR company named VIP Human Solutions from 2018 to 2022.
“The campaign is casting a wide net by utilizing various social media channels to distribute its network of counterfeit HR websites in an effort to identify Farsi-speaking individuals believed to be collaborating with intelligence and security agencies and thus posing a threat to Iran’s leadership,” according to Mandiant.
About Author
