The Iranian government-sponsored hackers are facilitating ransomware attacks on behalf of cybercrime groups such as ALPHV/BlackCat, warned the US Cybersecurity and Infrastructure Security Agency (CISA). The group, known by various names including Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm, has been targeting US organizations since 2017, including schools, government entities, financial institutions, and healthcare facilities.
The FBI has observed Pioneer Kitten attempting to sell access to victim organizations on underground markets, with a significant portion of their activity focused on collaborating with Russian-speaking cybercrime gangs to carry out ransomware attacks. The Iranian hackers have been working closely with ransomware affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, providing access and helping to strategize on extorting victims for ransom payments.
Pioneer Kitten’s ransomware attacks typically start by exploiting vulnerabilities in remote external services and known security flaws in popular software and appliances. Security teams are advised to prioritize fixing these vulnerabilities to prevent attacks. The group’s tactics involve capturing login credentials, elevating privileges, setting up backdoors, disabling antivirus software, and establishing persistence through Windows services tasks.
Despite their activities, it is unclear whether Pioneer Kitten’s ransomware operations are officially sanctioned by the Iranian government. The group appears to primarily engage in hack-and-leak campaigns targeting regional adversaries, such as Israel, Azerbaijan, and the United Arab Emirates, rather than solely focusing on financial gain. The CISA advisory provides more technical details on Pioneer Kitten’s attack chain and tactics.