Cybercrime

Iranian-linked hackers collaborate with ransomware affiliates, feds say

The group's side hustle may not have explicit permission from its Iranian government sponsor.

August 28, 2024

Iranian flag waving with cityscape on background in Tehran, Iran. (Sir Francis Canker Photography/Getty Images)

Iranian-sponsored hackers are acting as access brokers for ransomware affiliates like ALPHV, U.S. intelligence agencies warned in a joint alert Wednesday.

The FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Defense’s Cyber Crime Center said in an advisory that hackers with likely sponsorship from Iran are moonlighting with notable ransomware affiliates and seeking out network access to organizations in education, finance, health care, and defense. Those groups will then collaborate with the affiliates to help deploy ransomware for a cut of the extortion, the alert said.

The joint advisory is the latest Iranian-backed operation highlighted by cybersecurity firms and intelligence agencies, following a slew of reports within the past few weeks. On Wednesday, Microsoft revealed that the Iranian actor Peach Sandstorm deployed backdoor malware on satellite, oil and natural gas, and communications sectors of the United States and United Arab Emirates.

Last week, national security officials pointed the finger at Iran for trying to infiltrate the Trump presidential campaign days before Meta deleted several WhatsApp accounts associated with the campaign.

The intelligence agencies said Wednesday that the group — dubbed Pioneer Kitten or Lemon Sandstorm by cybersecurity researchers — has been operational since 2017, targeting U.S. organizations and municipal governments. Pioneer Kitten doesn’t appear to reveal its Iranian sponsorship and is “intentionally vague as to their nationality and origin” in discussions with ransomware affiliates, the alert said.

The advisory noted that Pioneer Kitten has collaborated with NoEscape, Ransomhouse, and ALPHV, also known as BlackCat. ALPHV is one of the more dangerous ransomware affiliates, best known for its February attack on Change HealthCare and its involvement in the Las Vegas casino hacks last year. It’s not yet clear which victims were initially accessed by Pioneer Kitten.

Separate from extortion, Pioneer Kitten also conducts cyber activity benefiting its sponsor that is not of significant interest to its ransomware contacts. When not moonlighting, Pioneer Kitten intrudes into the networks of organizations in Israel and Azerbaijan to pilfer “sensitive technical data,” the advisory said.

The group uses the Iranian IT company name “Danesh Novin Sahand” as a cover entity, the alert noted, adding that the hackers use internet-scanning tools like Shodan to identify vulnerabilities on connected devices such as Ivanti VPNs and Citrix Netscaler.