Read more about Iran-sponsored cyber espionage:
New Leaks Expose Web of Iranian Intelligence and Cyber Companies
US Condemns Iran, Issues Sanctions for Cyber-Attacks on Critical Infrastructure
Iran Behind Trump Campaign Hack, US Government Confirms
A hacking group associated with the Iranian government has collaborated with several ransomware groups to attack US organizations for years, according to several US government agencies.
In an August 28 joint advisory, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Defense Cyber Crime Center (DC3) warned that Fox Kitten, an Iran-based advanced persistent threat (APT) group, has conducted a high volume of intrusion attempts against US organizations between 2017 and August 2024.
Victims include schools, municipal governments, financial institutions and healthcare facilities.
In an uncommon move, many of these operations were intended to enable further ransomware groups to compromise the targeted organizations, the three US agencies said.
Read more: Iran-Backed Peach Sandstorm Hackers Deploy New Tickler Backdoor
Undercover Deals with NoEscape, RansomHouse and ALPHV/BlackCat
In the advisory, the FBI said it had long been aware that Fox Kitten had tried to monetize its access to target organizations on underground marketplaces.
“The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide,” the agency wrote.
More recently, the FBI identified Fox Kitten’s further involvement in ransomware attacks, with the Iranian group directly collaborating with ransomware gangs, including NoEscape, RansomHouse and ALPHV/BlackCat, in exchange for a percentage of the ransom payments.
“The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims,” noted the advisory.
According to its investigation, the FBI believes Fox Kitten actors do not disclose to the ransomware gangs who they are and where they are located.
Iran-Sponsored Cyber Espionage Campaigns
The FBI also assessed that Fox Kitten conducts other cyber-attack campaigns unrelated to the ransomware-enabling ones.
These campaigns aim to steal sensitive information on behalf of the Iranian government from targets in the defense sectors in the US, Israel, Azerbaijan and the United Arab Emirates.
These targets are typically not of interest to the group’s ransomware affiliate contacts, the advisory noted.
For that, Fox Kitten leverages Danesh Novin Sahan, an Iran-registered company, likely as a cover IT entity.
While the group's ransomware activities and data theft are supposedly unrelated, the FBI believes that the data theft acts as a shield, allowing the group to evade Iranian government sanctions.
Fox Kitten’s Background
Fox Kitten is an Iran-based cyber espionage group active since at least 2017.
The group is also known by many other names, including Pioneer Kitten, Rubidium, Parasite and Lemon Sandstorm. Its activity aligns with a threat activity cluster that Mandiant tracks as UNC757.
The group also refers to itself as Br0k3r, and more recently, it has been operating under the moniker “xplfinder” in its communication channels.
Fox Kitten targets organizations in the Middle East, North Africa, Europe, Australia and North America.
Historically, the group’s initial intrusions rely upon exploits of remote external services, such as virtual private networks (VPN), on internet-facing assets to gain initial access to victim networks.