Iranian-sponsored hackers are acting as access brokers for ransomware affiliates like ALPHV, U.S. intelligence agencies warned in a joint alert Wednesday.

The FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Defense’s Cyber Crime Center said in an advisory that hackers with likely sponsorship from Iran are moonlighting with notable ransomware affiliates and seeking out network access to organizations in education, finance, health care, and defense. Those groups will then collaborate with the affiliates to help deploy ransomware for a cut of the extortion, the alert said.

The joint advisory is the latest Iranian-backed operation highlighted by cybersecurity firms and intelligence agencies, following a slew of reports within the past few weeks. On Wednesday, Microsoft revealed that the Iranian actor Peach Sandstorm deployed backdoor malware on satellite, oil and natural gas, and communications sectors of the United States and United Arab Emirates.

Last week, national security officials pointed the finger at Iran for trying to infiltrate the Trump presidential campaign days before Meta deleted several WhatsApp accounts associated with the campaign.

The intelligence agencies said Wednesday that the group — dubbed Pioneer Kitten or Lemon Sandstorm by cybersecurity researchers — has been operational since 2017, targeting U.S. organizations and municipal governments. Pioneer Kitten doesn’t appear to reveal its Iranian sponsorship and is “intentionally vague as to their nationality and origin” in discussions with ransomware affiliates, the alert said.

The advisory noted that Pioneer Kitten has collaborated with NoEscape, Ransomhouse, and ALPHV, also known as BlackCat. ALPHV is one of the more dangerous ransomware affiliates, best known for its February attack on Change HealthCare and its involvement in the Las Vegas casino hacks last year. It’s not yet clear which victims were initially accessed by Pioneer Kitten.

Separate from extortion, Pioneer Kitten also conducts cyber activity benefiting its sponsor that is not of significant interest to its ransomware contacts. When not moonlighting, Pioneer Kitten intrudes into the networks of organizations in Israel and Azerbaijan to pilfer “sensitive technical data,” the advisory said.

The group uses the Iranian IT company name “Danesh Novin Sahand” as a cover entity, the alert noted, adding that the hackers use internet-scanning tools like Shodan to identify vulnerabilities on connected devices such as Ivanti VPNs and Citrix Netscaler.

The post Iranian-linked hackers collaborate with ransomware affiliates, feds say appeared first on CyberScoop.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Social Media Firms Fail to Protect Children’s Privacy, Says ICO

August 2, 2024 0 Comments 0 tags

The UK’s ICO has identified children’s privacy concerns in 11 social media and video sharing platforms, warning of regulatory action if these issues are not addressed

Read More

Mobile Political Spam Surges Threefold For 2024 Election

July 2, 2024 0 Comments 0 tags

Proofpoint highlighted how smishing, impersonation and spam are eroding trust in mobile messaging

Read More

Lessons from a Ransomware Attack against the British Library

March 29, 2024 0 Comments 0 tags

You might think that libraries are kind of boring, but this self-analysis of a 2023 ransomware and extortion attack against the British Library is anything but.

Read More