Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)
and the Department of Defense Cyber Crime Center (DC3)—released Iran-based
Cyber Actors Enabling Ransomware Attacks on U.S. Organizations. This joint
advisory warns of cyber actors, known in the private sector as Pioneer Kitten,
UNC757, Parisite, Rubidium, and Lemon Sandstorm, targeting and exploiting U.S.
and foreign organizations across multiple sectors in the U.S.
FBI investigations conducted as recently as August 2024 assess that cyber
actors like Pioneer Kitten are connected with the Government of Iran (GOI) and
linked to an Iranian information technology (IT) company. Their malicious cyber
operations are aimed at deploying ransomware attacks to obtain and develop
network access. These operations aid malicious cyber actors in further
collaborating with affiliate actors to continue deploying ransomware.
This advisory highlights similarities to a previous advisory, Iran-Based Threat
Actor Exploits VPN Vulnerabilities published on Sept. 15, 2020, and
provides known indicators of compromise (IOCs) and tactics, techniques, and
procedures (TTPs).
CISA and partners encourage critical infrastructure organizations to review
and implement the mitigations provided in this joint advisory to reduce the
likelihood and impact of ransomware incidents. For more information on Iranian
state-sponsored threat actor activity, see CISA’s Iran Cyber Threat Overview
and Advisories page.
See #StopRansomware along with the updated #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.