Summary:
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have released a joint advisory warning against a group of Iran-based cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. and foreign organizations since 2017 and as recently as August 2024, including schools, municipal governments, financial institutions, and healthcare facilities. Dubbed Pioneer Kitten (aka Fox Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm), the FBI assesses this group to be associated with the Government of Iran (GOI), noting that Pioneer Kitten has conducted network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan). To help organizations defend against Pioneer Kitten attacks, the FBI, CISA, and DC3 have published detailed tactics, techniques, and procedures employed by the group as well as a list of IOCs associated with Pioneer Kitten intrusions.

Security Officer Comments:
A significant percentage of Pioneer Kitten’s US-focused cyber activity has been steered towards obtaining and maintaining technical access to victim networks to enable further ransomware attacks. Pioneer Kitten has been observed collaborating directly with ransomware affiliates, providing these affiliates with full domain control domain control privileges, as well as domain admin credentials, to numerous networks worldwide. Notable affiliates of Pioneer Kitten include NoEscape, Ransomhouse, and ALPHV (aka BlackCat). In addition to providing initial access, Pioneer Kitten has worked closely with these groups to lock victim networks and strategize on approaches to extort victims. For every successful ransomware deployment, the FBI states that Pioneer Kitten is provided a percentage of the ransom payments. While Pioneer Kitten has had a history of working with ransomware affiliates, it’s important to note that this group “directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group maintains an association with the GOI,” according to the FBI.

Suggested Corrections:
The FBI and CISA recommend all organizations implement the following mitigations: