A recent warning from the FBI, CISA, and the Department of Defense Cyber Crime Center (DC3) shed light on a group of Iranian cyber actors operating as access brokers for ransomware gangs. These state-sponsored operatives, known as “Pioneer Kitten,” “Fox Kitten,” and “Lemon Sandstorm,” have been active since 2017 and have ramped up their activities through August 2024. Their main focus is on collaborating with ransomware groups to target critical sectors in the U.S. and its allies, including healthcare, finance, education, defense, and government entities.
The Iranian cyber actors not only breach networks but also sell access to ransomware affiliates like NoEscape and BlackCat (ALPHV), enabling them to carry out more effective ransomware attacks. This partnership extends beyond just selling access; the Iranian actors actively participate in strategizing and executing ransomware attacks, aiming to maximize ransom payouts.
While the FBI believes these actors are associated with the Government of Iran (GOI), their activities appear to operate on two fronts. On one hand, they conduct state-sponsored operations targeting countries like Israel, Azerbaijan, and the UAE to steal sensitive technical data. On the other hand, they engage in unsanctioned ransomware-enabling activities, raising questions about the extent of their independence from the Iranian government.
Microsoft also reported on another Iranian threat actor called “Peach Sandstorm,” which targets satellite, communications, energy, and government sectors in the U.S. and UAE, exhibiting espionage activities typically associated with state threat actors.
The collaboration between Iranian cyber actors and ransomware groups marks a shift in how state-sponsored actors operate. By offering full domain control and admin credentials to ransomware affiliates, the Iranian actors simplify the deployment of ransomware attacks. In return, they receive a share of the ransom in cryptocurrency, making it harder to trace their activities. Historically, these actors focused on selling access to networks on underground markets, but now they are actively involved in carrying out ransomware attacks.
These Iranian actors exploit vulnerabilities in widely-used networking devices like Citrix Netscaler, F5 BIG-IP, Pulse Secure/Ivanti VPNs, and Palo Alto Networks’ PAN-OS to gain initial access. Once inside, they employ various tactics to maintain persistence, escalate privileges, and evade detection, including disabling security software and using legitimate tools for remote access.
In addition to ransomware attacks, these Iranian actors have been involved in hack-and-leak campaigns aimed at causing political and social disruption rather than financial gain. To mitigate these threats, organizations are advised to monitor their logs for malicious IP traffic, patch vulnerabilities, and validate security controls against known threat behaviors.
As Iranian cyber actors continue to evolve and collaborate with ransomware groups, the need for increased vigilance across all sectors critical to national security is paramount. The blurred line between cybercrime and state-sponsored espionage underscores the importance of staying vigilant to protect against the potential consequences that extend beyond financial loss to the heart of national security.