An Iranian-based group of threat actors associated with the Government of Iran (GOI) is working directly with affiliates of several ransomware groups, according to a joint federal cybersecurity advisory released on August 28. The Iranian threat group, known by several names, including Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm, has provided affiliates associated with the ransomware groups ALPHV/BlackCat, NoEscape, and RansomHouse with access to victim networks and assistance extorting victims for ransom payments in return for a percentage of the ransom collected.
What’s Notable and Unique
- Although the Pioneer Kitten threat group conducts cyberattacks in support of the GOI, researchers believe that its activity with ransomware groups is separate and unsanctioned by the GOI. When working with affiliates of the ransomware groups, the group does not share its Iranian nationality or location.
- The Iranian threat actors have exploited the recent Check Point Security Gateways vulnerability CVE-2024-24919, which can allow an attacker to gain domain admin privileges. The hotfix for this vulnerability can be found here.
- To assist in identifying future attacks associated with the Pioneer Kitten threat group, the FBI provided indicators of compromise, bitcoin addresses, and Tox messenger identifiers in the advisory report.
Analyst Comments
This collaboration between members of the Iranian Pioneer Kitten group and ransomware affiliates adds a layer of complexity when assessing a sanctions nexus. With ALPHV no longer operating as a ransomware-as-a-service (RaaS), it is possible the Iranian threat actors will align themselves with affiliates of newer RaaS organizations in the future. Arete remains diligent in studying ransomware adversaries’ operations and tactics, techniques, and procedures to identify groups with potential ties to sanctioned entities. Additionally, to help prevent being targeted by the Pioneer Kitten, the FBI and CISA recommend that organizations “review available logs for IP addresses” provided in the advisory “to identify historical activity or incidents which may have previously been identified.” The advisory also recommends organizations patch the CVE vulnerabilities and check for the identifiers and TTPs referenced in the report.
Sources
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
Preventative Hotfix for CVE-2024-24919 – Quantum Gateway Information Disclosure