According to a new advisory from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cybercrime Center, a specific Iranian hacker group has carried out a large volume of computer network intrusion attempts at U.S. organizations since 2017 and most recently in August.
The group – known as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm – collaborates with ransomware gangs like ALPHV, also known as BlackCat, a group responsible for numerous cybersecurity attacks on the healthcare industry.
WHY IT MATTERS
According to the agencies’ general counsel, the Iranian threat actor group calls itself by the moniker “Br0k3r” and since 2024 “xplfinder.”
While the FBI has previously observed threats originating from Iran linked to hacking and leaking campaigns, the agency recently identified the group as working directly with ransomware affiliates ALPHV, NoEscape, and Ransomhouse.
In addition to providing full domain control, Iranian cyber actors work closely with ransomware affiliates to lock down victim networks and devise extortion strategies. Their goals include enabling encryption operations in exchange for a percentage of ransom payments, the agencies said.
According to the warning, the attackers did not disclose their location to those involved in the ransomware and were deliberately unclear about their nationality and origin.
The agencies said that as of July, these attackers were observed “scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE2024-24919.”
Since April, the attacker has been conducting mass scans of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices, “likely conducting reconnaissance” and probing for devices vulnerable to remote code execution.
Additional technical details and updates to previous advisory on VPN exploits originating from Iran that the FBI and CISA first published in 2020.
The agencies recommend that organizations implement recommended mitigations to protect against cyber intrusion attempts by Iranian hackers.
“These mitigations are consistent with the Interagency Cybersecurity Performance Objectives developed by CISA and the National Institute of Standards and Technology,” they noted.
THE BIGGER TREND
Earlier this year, the FBI, CISA, and the Department of Health and Human Services revised the joint ALPHV Blackcat cybersecurity alert to address new indicators of compromise targeting the healthcare sector.
“As of mid-December 2023, of the nearly 70 victims of the leak, the healthcare sector was the most affected,” they said.
While the FBI claimed to have seized the Russian-based ALPHV darknet site and infrastructure late last year, the ransomware group claimed to have stolen 6T bytes of Change Healthcare data following a massive attack and outage of the claims payment processing company in February.
ON THE RECORD
“Iranian hackers’ initial intrusions relied on exploiting remote external services on internet-connected assets to gain initial access to the victim’s network,” FBI and CISA officials said in the advisory.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31 through November 1 in Washington, DC. Learn more and register.
