Cybersecurity experts say a hacking group suspected to be an Iranian state-sponsored entity is selling access to compromised organization networks.
The group, code named Pioneer Kitten, has been active since at least 2017 and is focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government,” cybersecurity firm CrowdStrike wrote in a blog.
Pioneer Kitten, which also goes by PARISITE, UNC757 and Fox Kitten, relies on exploits of remote external services on internet-facing assets and open-source tooling to get initial access to victims, according to CrowdStrike.
The adversary is particularly interested in exploits related to VPNs and network appliances, including CVE-2019-11510, CVE-2019-19781, and most recently CVE-2020-5902; reliance on exploits such as these lends to an opportunistic operational model.
PIONEER KITTEN’s namesake operational characteristic is its reliance on SSH tunneling, through open-source tools such as Ngrok and the adversary’s custom tool SSHMinion, for communication with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP).
In July, an individual associated with the group was observed trying to sell access to compromised networks on an underground internet forum. Information from the victims’ networks would be of “significant intelligence value” to Iran’s government, CrowdStrike reports.
However, CrowdStrike doesn’t believe Iran sanctioned the activity, since the commercial sale of the access would have negative impacts on intelligence collection.
Targets included organizations in North America and Israel, including technology, government, defense, healthcare, aviation, media, academic, engineering, consulting, professional services, chemical, manufacturing, financial services, insurance and retail.
However, the areas of most interest are technology, government, defense and healthcare. The group could be casting a wide net in a move to diversify its revenue stream, CrowdStrike says.
ZDNet reports that other cybersecurity firms have observed the group breaching network devices using the same vulnerabilities, planting backdoors and providing access to other hacking groups.