Iranian state-backed actors operating under aliases like “Pioneer Kitten” are increasingly targeting critical infrastructure – and expanding their activities into brokering access for ransomware affiliates.

Key Takeaways

• A group of Iranian state-sponsored hackers has evolved into access brokers for ransomware gangs, targeting critical U.S. and allies’ sectors like education, finance, healthcare, and defense.
• The FBI, CISA, and DC3 have issued a joint advisory highlighting the dual nature of these threat actors’ activities, which include both monetizing network access and conducting espionage aligned with Iranian government interests.
• The hackers, known by names like “Pioneer Kitten” and “Lemon Sandstorm,” are highly adaptive, continuously evolving their methods to exploit vulnerabilities in widely used network devices and selling domain control to ransomware groups like ALPHV (BlackCat) and NoEscape.
• Beyond ransomware, the group has engaged in hack-and-leak operations aimed at causing reputational damage rather than securing a ransom, signaling a shift towards information warfare.
• The advisory urges organizations to patch known vulnerabilities immediately, stay vigilant, and monitor for indicators of compromise, including unauthorized installs and outbound traffic to suspicious domains.

Overview

They move silently across networks, leveraging every vulnerability left unpatched, exploiting gaps with surgical precision. The group of Iran-based threat actors—active since at least 2017—has become a persistent and formidable threat, targeting U.S. organizations across vital sectors such as education, finance, healthcare, and defense. These cybercriminals aren’t just isolated hackers; they operate with a level of sophistication that suggests state sponsorship, and their ultimate goals are far-reaching and deeply concerning.

The FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have issued a joint advisory warning about these Iran-based actors. Their operations reveal a dual purpose: monetizing network access by collaborating with ransomware affiliates and engaging in espionage activities aligned with Iranian government interests. U.S. organizations, particularly those in critical infrastructure, are urged to take action and bolster their defenses.

Technical Details

The threat group, known by various names like “Pioneer Kitten,” “Fox Kitten,” “Lemon Sandstorm,” and more recently, “xplfinder,” has demonstrated adaptability in its tactics. From exploiting vulnerabilities in widely used network devices to selling domain control privileges on dark web marketplaces, they have continuously evolved their methods to stay ahead of defensive measures.

Their modus operandi involves not just gaining access but maintaining it—often for future ransomware attacks. They offer full domain control to ransomware groups like ALPHV (also known as BlackCat) and NoEscape, receiving a cut from the ransom payments. These actors are not only gatekeepers to compromised networks but active participants in planning and executing ransomware campaigns.

The group’s tactics extend beyond traditional cybercrime. In some instances, they’ve conducted hack-and-leak operations, where they publicly expose sensitive information to destabilize and pressure their targets. The Pay2Key campaign in 2020, which targeted Israeli organizations, is one such example. By leaking stolen data on the dark web and tagging media outlets, they aimed to cause reputational damage rather than secure a ransom, signaling a strategic shift towards information warfare.

In addition to Israel, Azerbaijan and the UAE have also been targets.

The threat actors’ methods are mapped meticulously to the MITRE ATT&CK framework—a widely recognized matrix that categorizes cyberattack tactics and techniques. Initial intrusions often occur through internet-facing assets like firewalls and VPNs, with the group exploiting known vulnerabilities such as CVE-2024-3400 in Palo Alto Networks’ PAN-OS. Once inside, they use tools like Shodan to identify vulnerable devices and deploy webshells to capture credentials, laying the groundwork for deeper infiltration.

The TAs have also mastered persistence by deploying backdoors and creating new user accounts, often masquerading as legitimate services. Their ability to evade detection and maintain long-term access makes them particularly dangerous, as they can strike at any time, often when least expected.

The FBI and CISA advisory provides a detailed list of indicators of compromise (IOCs) and recommendations for mitigating the threat posed by these actors. Organizations are urged to apply patches for known vulnerabilities immediately and review their logs for signs of compromise, particularly looking for outbound traffic to suspicious domains. The use of tools like NGROK for tunneling and Ligolo for maintaining remote access requires constant network scrutiny to detect unauthorized activities.

Conclusion

The evolving tactics of these Iran-based cyber actors highlight the growing complexity and danger of cyber threats today. Organizations in the U.S. and allied countries must not only defend against ransomware but also be prepared for state-sponsored espionage and information warfare. As the line between criminal and nation-state activities blurs, the stakes for cybersecurity have never been higher.

For those in critical sectors, the time to act is now.

MITRE ATT&CK Tactics and Techniques

See Table 1 to Table 9 for all referenced threat actor tactics and techniques.

Indicators of Compromise (IOCs)

List of public-facing networking devices exploited and associated CVEs:

• Citrix Netscaler (CVEs-2019-19781 and CVE-2023-3519)
• F5 BIG-IP (CVE-2022-1388)
• Pulse Secure/Ivanti VPNs (CVE-2024-21887)
• PanOS firewalls (CVE-2024-3400)
• Check Point Security Gateways (CVE-2024-24919)

Check for unauthorized install of:

•  “AnyDesk” remote access program
•  Meshcentral
• Open source tunneling tool Ligolo (ligolo/ligolo-ng)
• ngrok[.]io NGROK to create outbound connections to a random subdomain

IP Address and Domain Identifiers

The IP addresses and domains listed below were observed in use by the threat actors in the specified timeframes in 2024.

The table below reflects historical IP addresses and domains associated with these actors.

The FBI also listed the bitcoin addresses linked to the Iranian threat actors:

• bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0
• bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs
• bc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh
• bc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky
• bc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp
• bc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc
• bc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr
• bc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne
• bc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq
• bc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm
• bc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8
• bc1q6w2an66vrje747scecrgzucw9ksha66x9zt980
• bc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9
• bc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489

Related