A report from U.S. cybersecurity and intelligence organizations has highlighted the activities of an Iranian hacker group engaged in ransomware attacks against multiple entities in the nation.
The operation has been attributed to a group known as Pioneer Kitten, also recognized by aliases such as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757. The report indicates that this group is associated with the government of Iran and leverages an Iranian IT firm, Danesh Novin Sahand, possibly as a front.
“The cyber operations of this group have the objective of executing ransomware assaults in order to gain and expand network access,” stated the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) announced. “These actions facilitate malevolent cyber actors to further coordinate with affiliated actors for continued deployment of ransomware.”
The sectors targeted by these attacks include education, finance, healthcare, and defense, along with various municipal bodies in the U.S. Intrusions have also been noted in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.) to pilfer confidential information.
It is believed that the primary objective is to establish an initial presence in victim networks and then engage with ransomware affiliates linked to NoEscape, RansomHouse, and BlackCat (aka ALPHV) to launch file-locking malware, in return for a share of the profits, while obscuring their nationality and origin.
The attempted attacks are suspected to have started as early as 2017 and are ongoing as of this month. The threat actors, also known by the online aliases Br0k3r and xplfinder, have been seen commercializing their access to victim organizations in underground markets, indicating efforts to diversify their revenue sources.
“A significant portion of the cyber activities within the U.S. is focused on acquiring and maintaining technical access to victim networks to facilitate subsequent ransomware attacks,” the agencies specified. “The perpetrators offer complete domain oversight privileges, along with domain admin credentials, for numerous networks globally.”
“The engagement of the Iranian cyber actors in these ransomware assaults goes beyond just offering access; they actively collaborate with ransomware affiliates to encrypt victim networks and devise strategies for extorting the victims.”
To achieve initial access, the attackers exploit remote external services on internet-facing assets that are susceptible to disclosed vulnerabilities (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by a series of steps to maintain persistence, elevate privileges, and establish remote access using tools like AnyDesk or the open-source Ligolo tunneling utility.
Operations related to Iranian state-sponsored ransomware have been observed in the past. In December 2020, security firms Check Point and ClearSky highlighted a Pioneer Kitten campaign named Pay2Key that specifically targeted multiple Israeli organizations by exploiting known security vulnerabilities.
“The ransom demands ranged between seven and nine Bitcoin (with a few instances where the attacker agreed to accept three Bitcoin),” stated the company at the time. “To coerce victims into payment, the Pay2Key’s leak site exposes confidential data obtained from the targeted organizations and makes threats of additional leaks unless the victims expedite payments.”
It has been suggested that several of these ransomware incidents were executed through an Iranian company named Emennet Pasargad, as mentioned in documents leaked by Lab Dookhtegan in early 2021.
This revelation indicates a dynamic entity that operates with both ransomware and cyber espionage motives, akin to other dual-purpose hacker groups such as ChamelGang and Moonstone Sleet.
Peach Sandstorm Deploys Tickler Malware in Lengthy Operational Campaign
These developments coincide with Microsoft’s announcement regarding the observation of state-sponsored threat actors from IranPeach Sandstorm (also known as APT33, Curious Serpens, Elfin, and Refined Kitten) has initiated the deployment of a novel custom multi-stage backdoor named Tickler in operations aimed at entities in the satellite, communications equipment, oil and gas, and federal and state government sectors in the U.S. and U.A.E.
“Peach Sandstorm has also been engaged in initiating password spray assaults on the educational sector for infrastructure acquisition purposes and on the satellite, government, and defense sectors as primary targets for intelligence gathering,” mentioned the technology giant in a report. It revealed the detection of intelligence collection activities and potential social engineering attempts targeting higher education, satellite, and defense sectors via LinkedIn.
The activities observed on the professional networking platform, which trace back to at least November 2021 and have persisted into mid-2024, have manifested in the guise of counterfeit profiles posing as students, programmers, and recruitment managers supposedly situated in the U.S. and Western Europe.
The password spray attacks act as a means for the Tickler’s custom multi-stage backdoor, equipped with functionalities to fetch additional payloads from an adversarial Microsoft Azure setup, carry out file functions, and gather system specifics.
Several infiltrations stand out for utilizing Active Directory (AD) snapshots for malevolent administrative maneuvers, employing Server Message Block (SMB) for lateral motion, and leveraging the AnyDesk remote monitoring and management (RMM) software for enduring remote access.
“The convenience and value of a tool like AnyDesk are heightened by its potential approval by application controls in environments where it is legitimately utilized by IT support personnel or system administrators,” highlighted Microsoft.
Peach Sandstorm is attributed to operating on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC). It has been operational for more than a decade, executing espionage campaigns against a wide range of public and private sector entities worldwide. Recent incursions targeting the defense sector have also revealed the deployment of another backdoor named FalseFont.
Counterintelligence Strategy by Iran Employs HR Baits for Intelligence Harvesting
In a demonstration of Iran’s expanding cyber activities, Mandiant, a subsidiary of Google, unveiled a suspected counterintelligence initiative with Iranian ties focused on gathering information on Iranians and internal threats collaborating with perceived opponents, including Israel.
“The information gathered could be wielded to discover human intelligence (HUMINT) efforts against Iran and to prosecute any Iranians suspected of participating in such actions,” shared Mandiant researchers Ofir Rozmann, Asli Koksal, and Sarah Bock in a publication available here. “This might encompass Iranian dissidents, activists, human rights advocates, and Farsi speakers residing within and outside Iran.”
The endeavor, as articulated by the company, shows a “limited similarity” with APT42 and corresponds with IRGC’s history of conducting surveillance actions against internal threats and persons of interest to the Iranian regime. The campaign has been in operation since 2022.
The key component in the attack cycle involves a network of more than 40 counterfeit recruitment websites posing as Israeli HR firms and distributed on social platforms such as X and Virasty to deceive potential targets into divulging personal details (e.g., name, date of birth, email, address, education, and work experience).
These sham websites, pretending to be Optima HR and Kandovan HR, declare their purported aim as the “employment of individuals from Iran’s intelligence and security establishments” and have Telegram accounts with references to Israel (IL) in their names (e.g., PhantomIL13 and getDmIL).
Mandiant further elaborated that a deeper inquiry into the Optima HR portals led to the unearthing of an earlier set of dummy recruitment websites focusing on Farsi and Arabic speakers affiliated with Syria and Lebanon (Hezbollah) under a different HR entity named VIP Human Solutions between 2018 and 2022.
“The initiative casts a wide net by functioning across diverse social platforms to disseminate the network of counterfeit HR websites in a bid to out Farsi-speaking individuals potentially involved with intelligence and security bodies and thus viewed as a threat to Iran’s government,” illustrated Mandiant.
About Author
