Iranian Cyber Actors Collaborate with Ransomware Groups to Target U.S. and Allies: Warning from FBI, CISA, and DC3

A shadowy group of Iranian cyber actors has been exposed by a joint warning from the FBI, CISA, and the Department of Defense Cyber Crime Center (DC3), revealing their involvement in access brokering for ransomware gangs. These state-sponsored operatives, known as “Pioneer Kitten” and other aliases, have been collaborating with ransomware affiliates to target critical sectors in the U.S. and its allies since 2017.

The Iranian actors have intensified their activities over the years, focusing on sectors such as education, finance, healthcare, and defense, as well as government entities. By selling access to ransomware groups like NoEscape and BlackCat, they enable more effective ransomware attacks and share in the profits received in cryptocurrency.

Moreover, these actors have been exploiting vulnerabilities in widely-used networking devices to gain initial access and maintain persistence within victim networks. They have also engaged in hack-and-leak campaigns, targeting countries like Israel to cause political and social disruption.

To combat these threats, organizations are advised to review their logs for malicious IP addresses, apply patches to known vulnerabilities, and validate security controls against the MITRE ATT&CK framework. Increased vigilance is crucial across all sectors, as the collaboration between Iranian cyber actors and ransomware groups blurs the line between cybercrime and state-sponsored espionage. National security remains at risk, making it imperative for entities to stay vigilant against evolving cyber threats.