Iranian hackers and specifically a state hacking team of Iran, began to sells access to corrupt companies networks via underground hacking forums, according to the cybersecurity company Crowdstrike.
The Iranians hackers have the code name Pioneer Kitten, but are also known as Fox Kitten ή Parisite.
According to Crowdstrike, these Iranians hackers serve the Iranian regime, and during 2019 and 2020 targeted corporate networks, exploiting VPN vulnerabilities and networking equipment, such as:
- Pulse Secure “Connect” corporate VPN (CVE-2019-11510)
- Fortinet VPN servers running FortiOS (CVE-2018-13379)
- Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
- Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
- F5 Networks BIG-IP load load balancers (CVE-2020-5902)
According to a report by the cybersecurity company Dragos, Iranian hackers were violating network devices using the above vulnerabilities and installing backdoors and then provided the access to other Iranian hacking groups, such as APT33 (Shamoon), Oilrig (APT34) or Chafer.
The other groups are extending the "initial access" that Pioneer Kitten has gained, and are spreading more networks using more advanced malware and exploits. Their goal is finding and stealing sensitive information that may be of interest to the Iranian government.
However, in a report today, Crowdstrike states that Pioneer Kitten has been participating in hacking forums since July 2020, and is trying to sell access to some of these breached networks.
Crowdstrike believes that the Iranians hackers just try to increase revenue from networks that are likely to have no value for Iranian intelligence services (do not have useful information).
The classic targets of hacking groups funded by Iran usually include: companies and governments in USA, Israel and others Arab countries in the Middle East. In addition, the areas of interest to hackers usually include defense, The health care, The technology and government. Everything else is probably not of interest to the Iranian government, so it is sold in hacking forums.
Pioneer Kitten's biggest customers are usually gangs ransomware.