US cybersecurity and intelligence agencies have accused an Iranian hacking group of hacking multiple organizations across the country and coordinating with affiliates to deliver ransomware.
The activity was linked to a threat actor called Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which is described as being linked to the Iranian government and using an Iranian information technology (IT) company, Danesh Novin Sahand , probably as a cover.
“Their malicious cyber operations are aimed at deploying ransomware attacks to gain and develop network access,” said the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Defense Cyber Crime Center (DC3). said. “These operations help attackers further collaborate with affiliated entities to continue the deployment of ransomware.”
Targets of attacks include education, finance, healthcare and defense, as well as local governments in the US, and intrusions have also been reported in Israel, Azerbaijan and the United Arab Emirates (UAE) to steal sensitive data.
The goal, according to the agencies, is to gain a foothold in victim networks and then work with affiliates of extortionists linked to NoEscape, RansomHouseand Black Cat (aka ALPHV) to deploy file-encrypting malware in exchange for a share of the illicit proceeds, while keeping their nationalities and origins “deliberately vague.”
Attack attempts are believed to have started back in 2017 and are continuing this month. The threat actors, who also go by the online aliases Br0k3r and xplfinder, were found to be monetizing their access to victim organizations on underground markets, highlighting attempts to diversify their revenue streams.
“A significant percentage of the US-focused group’s cyber activity is aimed at gaining and maintaining technical access to victim networks to enable future ransomware attacks,” the agencies said. “Actors offer full domain management privileges as well as domain administrator credentials for many networks around the world.”
“The involvement of Iranian cyber actors in these ransomware attacks goes beyond providing access; they work closely with affiliate ransomware to block victim networks and strategize approaches to extort victims.”
Initial access is accomplished by leveraging remote external services for Internet assets that are vulnerable to previously identified vulnerabilities (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919 ), followed by a series of steps to save, elevate privileges, and set up remote access through tools like AnyDesk or the open source tunneling tool Ligolo.
Sponsored by the state of Iran ransomware operations there is is not a new phenomenon. Cybersecurity companies in December 2020 checkpoint and Clear sky detailed a Pioneer Kitten hacking and data leakage campaign called Pay2Key that specifically targeted dozens of Israeli companies using known security vulnerabilities.
“The amount of the ransom itself ranged from seven to nine bitcoins (with a few cases where the attacker was negotiated down to three bitcoins),” the company noted at the time. “In order to force victims to pay, the data leak site Pay2Key reveals confidential information stolen from targeted organizations and threatens further leaks if victims continue to delay payments.”
Some of the ransomware attacks were also carried out through an Iranian contract company called Emennet Pasargad, according to documents leaked by Lab Dookhtegan in early 2021.
The disclosure paints a picture of a flexible group working with both ransomware and cyber espionage motives, joining other dual-purpose hacker groups such as ChamelGang and Moonstone.
Peach Sandstorm delivers the Tickler malware in a long-running campaign
The development comes after Microsoft said it was monitoring a threat sponsored by the state of Iran Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) using a new special multi-stage backdoor called Tickler to attack targets in the satellite, communications, oil and gas, and federal and state sectors in the US and UAE the period from April to July 2024.
“The peach sandstorm also continued conducting password spraying attacks against the education sector for infrastructure procurement and against the satellite, government and defense sectors as primary targets for intelligence gathering,” the tech giant saidadding that he discovered intelligence gathering and possible social engineering targeting the higher education, satellite and defense sectors through LinkedIn.
This effort on the professional networking platform, which dates back to at least November 2021 and continued until mid-2024, materialized in the form of fake profiles posing as students, developers and talent acquisition managers allegedly based in the US and Western Europe.
Password spraying attacks serve as a conduit for a custom multi-stage Tickler backdoor that comes with capabilities to download additional payloads from an adversary-controlled Microsoft Azure infrastructure, perform file operations, and collect system information.
Some of the attacks feature the use of Active Directory (AD) snapshots for malicious administrative activities, Server Message Block (SMB) for lateral movement, and AnyDesk Remote Monitoring and Management (RMM) software for persistent remote access.
“The convenience and usefulness of a tool like AnyDesk is enhanced by the fact that it can be enabled by application controls in environments where it is legitimately used by IT support staff or system administrators,” Microsoft said.
Peach Sandstorm is believed to be operating on behalf of the Islamic Revolutionary Guard Corps (IRGC). It is known to have been active for more than a decade, carrying out espionage attacks against various public and private sector facilities around the world. Recent intrusions targeting the defense sector have also unleashed another backdoor called FalseFont.
Iranian counterintelligence operation uses HR Lures to mine Intel
As evidence of the continued expansion of Iran’s cyber operations, Google-owned Mandiant said it had uncovered an alleged counterintelligence operation with Iran aimed at gathering data on Iranians and domestic threats that may be working with their perceived adversaries, including Israel.
“The data collected can be used to expose intelligence (HUMINT) operations conducted against Iran and to prosecute any Iranians suspected of involvement in these operations,” Mandiant researchers Ofir Rozman, Asli Koksal and Sara Bock said. “This could include Iranian dissidents, activists, human rights activists and Farsi speakers living inside and outside Iran.”
The company said the activity was “weakly consistent”. APT42 and is consistent with IRGC’s experience in conducting surveillance operations against domestic threats and persons of interest to the Iranian government. The company has been active since 2022.
At the heart of the attack lifecycle is a network of more than 40 fake recruitment websites posing as Israeli recruitment firms, which are then distributed through social media channels such as X and Virasty to trick potential victims into sharing their personal information ( such as name, date of birth, email address, home address, education and professional experience).
These fraudulent websites, posing as Optima HR and Kandovan HR, state that their alleged purpose is “recruiting employees and officers of Iranian intelligence and security organizations” and have Telegram handles that refer to Israel (IL) (e.g. PhantomIl13 and getDmIl).
Mandian further said that further analysis of the Optima HR websites led to the discovery of a previous group of fake recruitment websites targeting Farsi and Arabic speakers linked to Syria and Lebanon (Hezbollah) under another recruitment firm called VIP Human Solutions in period from 2018 to 2022.
“The company is casting a wide net by operating on various social media platforms to spread its network of fake HR websites in an attempt to expose Farsi-speaking individuals who may be cooperating with intelligence and security services and are therefore perceived as a threat to Iran’s regime. “, – said Mandiant.
