U.S. cybersecurity and intelligence agencies have issued warnings regarding an Iranian hacking group that has breached numerous organizations across the nation and collaborated with affiliates to deploy ransomware.
This activity is attributed to a threat actor known as Pioneer Kitten, which also goes by Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757. This group is believed to be associated with the Iranian government and utilizes an Iranian IT firm, Danesh Novin Sahand, as a likely front.
“Their malicious operations are focused on deploying ransomware to gain and maintain network access,” stated the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3). “These activities facilitate collaboration with ransomware affiliates to further spread ransomware.”
The targets of these attacks span various sectors, including education, finance, healthcare, and defense, with local government entities in the U.S. also affected. Similar intrusions have been reported in Israel, Azerbaijan, and the United Arab Emirates (U.A.E.), aiming to steal sensitive information.
The primary objective, according to the agencies, is to establish an initial foothold in victim networks and then collaborate with ransomware affiliates like NoEscape, RansomHouse, and BlackCat (also known as ALPHV) to deploy file-encrypting malware in exchange for a share of the illicit profits, while intentionally obscuring their national origin.
These attacks are believed to have started as early as 2017 and continue to this day. The threat actors, who also use aliases such as Br0k3r and xplfinder, have been observed monetizing their access to victim networks through underground marketplaces, highlighting their efforts to diversify their revenue streams.
“A significant portion of the group’s U.S.-focused cyber activities aims at obtaining and maintaining technical access to victim networks to enable future ransomware attacks,” noted the agencies. “The actors offer full domain control and domain admin credentials to numerous networks worldwide.”
“The Iranian cyber actors’ role in these ransomware attacks extends beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on extortion methods.”
Initial access is gained by exploiting remote external services on internet-facing assets vulnerable to previously disclosed flaws (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by steps to persist, escalate privileges, and establish remote access using tools like AnyDesk or the open-source Ligolo tunneling tool.
Iranian state-sponsored ransomware operations are not novel. In December 2020, cybersecurity firms Check Point and ClearSky reported on a Pioneer Kitten hack-and-leak campaign named Pay2Key, which targeted numerous Israeli companies by exploiting known security vulnerabilities.
“The ransom demanded ranged between seven and nine Bitcoin (with some cases negotiated down to three Bitcoin),” the companies stated at the time. “To pressure victims into compliance, Pay2Key’s leak site displayed sensitive information stolen from target organizations and threatened further leaks if payments were delayed.”
Some ransomware attacks have also been linked to an Iranian contracting company named Emennet Pasargad, based on documents leaked by Lab Dookhtegan in early 2021.
This disclosure portrays a versatile group with both ransomware and cyber espionage motives, akin to other dual-purpose hacking groups such as ChamelGang and Moonstone Sleet.
Peach Sandstorm Deploys Tickler Malware in Extended Campaign
Meanwhile, Microsoft has reported that Iranian state-sponsored threat actor Peach Sandstorm (also known as APT33, Curious Serpens, Elfin, and Refined Kitten) has been using a new custom multi-stage backdoor called Tickler in attacks against the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the U.S. and U.A.E. between April and July 2024.
“Peach Sandstorm has also continued executing password spray attacks against the educational sector for infrastructure procurement and targeting the satellite, government, and defense sectors for intelligence collection,” Microsoft Threat Intelligence team noted, adding that these attacks include intelligence gathering and potential social engineering targeting higher education, satellite, and defense sectors via LinkedIn.
These efforts on the professional networking platform, dating back to at least November 2021 and continuing into mid-2024, involved fake profiles posing as students, developers, and talent acquisition managers supposedly from the U.S. and Western Europe.
The password spray attacks facilitate the deployment of the Tickler multi-stage backdoor, which has capabilities to download additional payloads from an adversary-controlled Microsoft Azure infrastructure, perform file operations, and gather system information.
Notably, some attacks leverage Active Directory (AD) snapshots for malicious administrative actions, Server Message Block (SMB) for lateral movement, and AnyDesk remote monitoring and management (RMM) software for persistent remote access.
“The utility of a tool like AnyDesk is heightened by its potential acceptance in environments where it is legitimately used by IT support personnel or system administrators,” Microsoft stated.
Peach Sandstorm is assessed to operate on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC). Active for over a decade, the group has conducted espionage attacks against a diverse range of public and private sector targets globally. Recent intrusions targeting the defense sector have also employed another backdoor named FalseFont.
Iranian Counterintelligence Operation Exploits HR Lures to Gather Intelligence
In a demonstration of expanding Iranian cyber operations, Google-owned Mandiant revealed a suspected Iranian counterintelligence campaign aimed at gathering data on Iranians and domestic threats who may be collaborating with perceived adversaries, including Israel.
“The collected information may be used to uncover human intelligence (HUMINT) operations against Iran and to pursue any Iranians suspected of being involved in these operations,” Mandiant researchers Ofir Rozmann, Asli Koksal, and Sarah Bock stated. “This could include Iranian dissidents, activists, human rights advocates, and Farsi speakers within and outside Iran.”
The activity shows a “weak overlap” with APT42 and aligns with the IRGC’s history of conducting surveillance operations against domestic threats and individuals of interest to the Iranian government. This campaign has been active since 2022.
The core of this attack lifecycle involves a network of over 40 fake recruitment websites masquerading as Israeli human resources firms, disseminated via social media channels like X and Virasty to deceive victims into revealing personal details (such as name, birth date, email, home address, education, and professional experience).
These decoy websites, posing as Optima HR and Kandovan HR, claim to be recruiting employees for Iran’s intelligence and security agencies and feature Telegram handles referencing Israel (e.g., PhantomIL13 and getDmIL).
Further analysis of Optima HR sites uncovered a previous cluster of fake recruitment websites targeting Farsi and Arabic speakers affiliated with Syria and Lebanon (Hezbollah) under the name VIP Human Solutions between 2018 and 2022.
“The campaign employs multiple social media platforms to distribute its network of fake HR websites, aiming to identify Farsi-speaking individuals who may be collaborating with intelligence and security agencies and thus considered a threat to Iran’s regime,” Mandiant concluded.