A shadowy group of Iranian cyber actors is acting as access brokers for ransomware gangs and collaborating with affiliates to target the U.S. and its allies, exploiting vulnerabilities across sectors ranging from healthcare to local government.
The FBI, CISA, and the Department of Defense Cyber Crime Center (DC3) warned today that these actors, believed to be state-sponsored, are focusing aggressively on access brokering and enabling ransomware attacks.
‘Pioneer Kitten’ Targets Critical Sectors
These Iranian state-backed cyber operatives, tracked under a number of aliases such as “Pioneer Kitten,” “Fox Kitten” and “Lemon Sandstorm,” started as early as 2017 and have intensified their activities through August 2024. These threat actors have been leveraging their access to critical U.S. infrastructure to collaborate with ransomware groups, creating a nexus of threats.
The group’s focus spans across multiple critical U.S. industries, including education, finance, healthcare, and defense, as well as government entities. These cyber actors are not only breaching networks but are also selling access to ransomware affiliates, such as NoEscape and BlackCat (also known as ALPHV), enabling these groups to execute ransomware attacks more effectively. The partnership between the Iranian actors and ransomware groups goes beyond mere access sales; they actively strategize to lock networks and maximize ransom payouts.
State-Sponsored Freelance Operatives?
While the FBI assesses that these actors are associated with the Government of Iran (GOI), their activities appear to operate on two fronts. On one hand, they conduct state-sponsored operations, particularly targeting Israel, Azerbaijan, and the UAE, to steal sensitive technical data. On the other, they engage in ransomware-enabling activities that seem unsanctioned by the Iranian government, raising questions about the true extent of their independence.
Microsoft also reported on an Iranian threat actor today – “Peach Sandstorm” – that is targeting satellite, communications, energy and government sectors in the U.S. and UAE, with espionage activities more expected of state threat actors.
Access Brokers for Ransomware Affiliates Among Tactics
The collaboration between these Iranian actors and ransomware groups is a significant development in the way in which state-sponsored actors work. They offer their partners full domain control and domain admin credentials, making it easier for ransomware groups to deploy their attacks. The affiliates, in turn, reward them with a cut of the ransom, which the Iranian actors receive in cryptocurrency—a method that further complicates tracking their activities.
Historically, these actors focused on gaining access to networks and selling that access on underground marketplaces. Now, they’re taking a more hands-on approach. This collaboration isn’t just about selling access; these actors are now deeply involved in executing the ransomware attacks themselves, locking down networks and negotiating with victims.
Exploiting Vulnerabilities
These Iranian actors have been known to exploit a range of vulnerabilities in widely-used networking devices. For example, they have targeted Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887) and the latest being Palo Alto Networks’ PAN-OS (CVE-2024-3400). Palo Alto had in April revealed this RCE bug as actively exploited. The threat actor use these vulnerabilities to gain initial access, often scanning IP addresses with tools like Shodan to identify exploitable devices.
Once inside, they utilize web shells, deploy backdoors, and create malicious scheduled tasks to maintain persistence. They also repurpose compromised credentials to escalate privileges within the victim’s network, making their operations difficult to detect and stop. They’ve even been observed disabling security software and using legitimate tools like AnyDesk for remote access, making it harder for defenders to spot malicious activity.
Hack-and-Leak Campaigns
These Iranian actors have also been involved in hack-and-leak operations, such as the Pay2Key campaign in late 2020, which targeted Israel. They stole data and leaked it on the dark web to undermine Israel’s cyber infrastructure. Unlike typical ransomware campaigns, these operations are aimed more at causing political and social disruption than financial gain.
Iranian Threat Mitigations and Recommendations
To counter these threats, the FBI and CISA recommend that organizations review their logs for any traffic associated with known malicious IP addresses, apply patches to vulnerabilities like CVE-2024-3400, and check for unique identifiers linked to these actors. Regularly validating security controls against behaviors mapped to the MITRE ATT&CK framework is also advised.
The increasing sophistication and collaboration between Iranian cyber actors and ransomware groups calls for heightened vigilance across all sectors, particularly those critical to national security. As these actors continue to evolve, the line between cybercrime and state-sponsored espionage blurs further. Staying vigilant is an imperative, as the consequences of these attacks go beyond financial loss—they strike at the heart of national security.
