Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian Hackers Target US in Ransomware and Espionage Attacks

New Reports and Joint Advisory Warn of Growing Cybersecurity Threats Linked to Iran
Iranian Hackers Target US in Ransomware and Espionage Attacks
The Azadi Tower in Tehran, Iran, in an April 2018 photo (Image: Shutterstock)

Iranian government threat actors have launched a series of recent ransomware attacks and cyberespionage campaigns targeting the public and private sectors in the United States and United Arab Emirates, according to new research and a federal advisory published Wednesday.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The Iran-based cyber group known as Pioneer Kitten, UNC757 and Rubidium - among other monikers - has compromised organizations including U.S. schools, financial institutions, healthcare facilities and municipal governments since 2017 and as recently as August, according to a joint cybersecurity advisory published by the FBI, Cybersecurity and Infrastructure Security Agency and the Department of Defense Cyber Crime Center. The advisory warns network operators that a significant focus of the group's cyber activity targeting U.S. entities "is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks."

The FBI previously observed the Iranian threat actor conducting hack-and-leak cyberattacks in late 2020, including the Pay2Key ransomware campaign that targeted vulnerable Remote Desktop Protocol connections in Windows devices to gain an initial foothold in victim networks (see: Pay2Key Ransomware Campaign Tied to Iran). The bureau said the hacking group is also seeking to "steal sensitive information from these networks," particularly from U.S. defense sector networks and those in Israel, Azerbaijan and the U.A.E.

The advisory says Pioneer Kitten typically gains access to victim networks by exploiting remote external services on internet-facing assets. As of July 2024, the group has been observed scanning IP addresses that host Check Point Security Gateways, searching for devices potentially vulnerable to an exploit tracked as CVE-2024-24919. The group was also observed conducting mass scans of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices.

The advisory comes amid multiple new reports on Iran's counterintelligence efforts and custom malware campaigns, including a Microsoft report published Wednesday that details how the Iranian state-sponsored group known as Peach Sandstorm deployed a custom multistage backdoor named Tickler between April and July. The company linked Peach Sandstorm's operations to the Iranian Islamic Revolutionary Guard Corps and said it observed potential social engineering on LinkedIn targeting higher education, satellite and defense organizations.

Mandiant, a Google-owned threat intel firm, revealed new findings Wednesday about a suspected Iran-linked counterintelligence operation aimed at identifying Iranians potentially interested at collaborating with foreign intelligence, particularly Israeli agencies.

The cybersecurity firm said the campaign was linked to the Iranian regime and showed some overlap with the Iran-linked threat actor known as APT42, which is suspected of working for the IRGC Intelligence Organization. Mandiant said it found no connection between the campaign and any U.S. election security risks. It said the suspected counterintelligence operations started as early as 2017 and lasted at least until March 2024.

Mandiant found that the attackers created several social media accounts to spread links to fake recruitment websites on platforms such as X - formerly Twitter - and Virasty, which is popular in Iran.

When the victim users visited the fake sites, they were shown information about human resources firms that claimed to recruit employees and officers from Iran's intelligence and security agencies. Posing as legitimate firms, the sites used names such as Optima HR or Kandovan HR and required candidates to have documented experience in information and cyber roles within relevant institutions and organizations.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.