A suspected Iranian state-backed group appears to have been moonlighting to drive additional income, according to a new report from CrowdStrike.
The security vendor claimed that the newly discovered Pioneer Kitten has been active since at least 2017 and is mainly focused on stealing intelligence which would be strategically useful to Tehran.
However, it is more likely to be a contractor than directly government employed, according to CrowdStrike senior intelligence analyst, Alex Orleans. This is because there’s evidence that the group has recently been advertising its wares on underground forums, in particular, access to compromised networks.
“That activity is suggestive of a potential attempt at revenue stream diversification on the part of Pioneer Kitten, alongside its targeted intrusions in support of the Iranian government,” Orleans argued. As such, it usually targets healthcare, government, technology and defense firms.
The group itself is said to favor exploits of remote, internet-connected external services and open source tooling.
“The adversary is particularly interested in exploits related to VPNs and network appliances, including CVE-2019-11510, CVE-2019-19781, and most recently CVE-2020-5902; reliance on exploits such as these lends to an opportunistic operational model,” Orleans continued.
“Pioneer Kitten’s namesake operational characteristic is its reliance on SSH tunnelling, through open-source tools such as Ngrok and the adversary’s custom tool SSHMinion, for communication with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP).”
Some of the listed CVEs exploited by the group tie to bugs in products from Pulse Secure and Citrix which were widely exploited earlier this year, notably in ransomware attacks.
Pioneer Kitten’s targets so far have been located mainly in North America and Israeli, according to CrowdStrike. The group is also known by the monikers “Parasite,” "UNC757,” and “Fox Kitten."