CISA Releases Advisory on Iran-based Ransomware Attacks

Organizations known as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm are targeting multiple sectors in the U.S.

Online Safety And Security

The Cybersecurity and Infrastructure Security Agency, in partnership with the Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3), released and advisory focused on Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations. This joint advisory warns of cyber actors, known in the private sector as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm, targeting and exploiting U.S. and foreign organizations across multiple sectors in the U.S.

FBI investigations conducted as recently as August 2024 assess that cyber actors like Pioneer Kitten are connected with the Government of Iran and linked to an Iranian information technology company. Their malicious cyber operations are aimed at deploying ransomware attacks to obtain and develop network access. These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware. 

This advisory highlights similarities to a previous advisory, Iran-Based Threat Actor Exploits VPN Vulnerabilities published on Sept. 15, 2020, and provides known indicators of compromise and tactics, techniques, and procedures. 

CISA and partners encourage critical infrastructure organizations to review and implement the mitigations provided in this joint advisory to reduce the likelihood and impact of ransomware incidents. For more information on Iranian state-sponsored threat actor activity, see CISA’s Iran Cyber Threat Overview and Advisories page. 

More in Cybersecurity