About Pioneer Kitten
Pioneer Kitten is an Iranian government backed APT (Advanced Persistent Threat) group, also known as Fox Kitten or Parisite. It has been active since at least 2017. It is believed that the group is not operated by the Iranian government. Rather it is thought that the group is contracted by the government to support its needs. Consequently, the group’s main aim has been gaining and maintaining access to companies that possess information of interest to the government.
Selling Access to Hacked Networks
Recently, however, Pioneer Kitten has also been observed selling the fruits of some of its exploits on the dark web. According to a Crowdstrike report, the group is now also selling access to some compromised company networks to boost income. The report supposes the group is monetizing access data it has acquired with no intelligence value to the Iranian government. “In late July 2020, an actor assessed to be associated with PIONEER KITTEN was identified as advertising to sell access to compromised networks on an underground forum.” the report states. “That activity is suggestive of a potential attempt at revenue stream diversification on the part of PIONEER KITTEN, alongside its targeted intrusions in support of the Iranian government,” continues the report. Interestingly, the group previously only provided such initial network access data to other Iranian APT groups to exploit. These have included APT33 (aka Shamoon, Magnallium, Elfin), APT34 (aka Helix Kitten, Oilrig) and APT39 (aka Chafer, Remix Kitten). Since July, however, the group has been observed selling such information to any interested hackers on underground forums.
Attack Method
Pioneer Kitten’s attack method is rather opportunistic and mainly involves breaching enterprise VPNs using open-source tools and known vulnerabilities. The report explains that the group’s “tradecraft is characterized by a pronounced reliance on exploits of remote external services on internet-facing assets to achieve initial access to victims, as well as an almost total reliance on open-source tooling during operations.” This attack technique is commonly deployed by Iranian APT groups to install backdoors into companies’ networks. Over the last couple of years, Pioneer Kitten has exploited multiple vulnerabilities in VPNs and networking equipment to attack companies around the world. The vulnerabilities used include:
CVE-2018-13379 – Fortinet VPN servers running FortiOS SSL VPN web portal CVE-2019-1579 – Palo Alto Networks Global Protect VPN CVE-2019-11510 – Pulse Secure VPN servers CVE-2019-19781 – Citrix ADCs and network gateways CVE-2020-5902 – F5 Networks BIG-IP load balancers
The group’s attack method also leverages open-source tools such as Ngrok, which is used for secure tunneling. In addition, they have used the custom tool SSHMinion to communicate with malware deployed on target networks.
Pioneer Kitten’s Targets
The group’s targets include companies and governments from a long list of countries. These include the US, Israel, Germany, Australia, France, Austria, Finland, Hungary, Italy, Kuwait, Lebanon, Malaysia, Poland, Saudi Arabia and UAE. Their target sectors include “technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance, and retail.” However, their attacks are mostly aimed at governments as well as defense, technology and healthcare organizations. They have primarily targeted North American and Israeli organizations that represent some intelligence value to the Iranian government.