At a glance.
- Iranian cyberespionage actor conducts ransomware attacks on the side.
- Malicious Pidgin plugin delivers malware.
- US offers $2.5 million reward for alleged malware distributor.
Iranian cyberespionage actor conducts ransomware attacks on the side.
An Iranian state-sponsored threat actor tracked as "Pioneer Kitten" is collaborating with criminal ransomware groups for financial gain, according to a joint advisory issued by the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3). The threat actor operates under the cover of an IT company called "Danesh Novin Sahand." The FBI says "a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware." The threat actor has worked closely with the NoEscape, Ransomhouse, and ALPHV/BlackCat ransomware gangs.
The group also appears to be working as a contractor for the Iranian government, conducting cyberespionage operations "towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, and the United Arab Emirates." The FBI notes that "the group’s ransomware activities are likely not sanctioned by the [Government of Iran], as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity."