Iranian-linked hackers collaborate with ransomware affiliates, feds say | CyberScoop<\/title> <meta name=\"description\" content=\"The group's side hustle may not have explicit permission from its Iranian government sponsor.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/iran-cisa-fbi-ransomware-advisory\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Iranian-linked hackers collaborate with ransomware affiliates, feds say\"> <meta property=\"og:description\" content=\"The group's side hustle may not have explicit permission from its Iranian government sponsor.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/iran-cisa-fbi-ransomware-advisory\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-08-28T16:48:21+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1721926675g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1724181137g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1724269863g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/81554\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=81554\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firan-cisa-fbi-ransomware-advisory%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firan-cisa-fbi-ransomware-advisory%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-81554 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/iran-cisa-fbi-ransomware-advisory\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.952380952381\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2024 CyberScoop 50 awards! <\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/vote\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.84\">\n<div class=\"single-article__header-content\" readability=\"27.943661971831\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> The group’s side hustle may not have explicit permission from its Iranian government sponsor. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Iranian flag waving with cityscape on background in Tehran, Iran. (Sir Francis Canker Photography\/Getty Images)\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Iranian flag waving with cityscape on background in Tehran, Iran. (Sir Francis Canker Photography\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"25.670719684522\"><body readability=\"54.653354013183\"><\/p>\n<p>Iranian-sponsored hackers are acting as access brokers for ransomware affiliates like ALPHV, U.S. intelligence agencies warned in a joint alert Wednesday.<\/p>\n<p>The FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Defense\u2019s Cyber Crime Center <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa24-241a\">said in an advisory<\/a> that hackers with likely sponsorship from Iran are moonlighting with notable ransomware affiliates and seeking out network access to organizations in education, finance, health care, and defense. Those groups will then collaborate with the affiliates to help deploy ransomware for a cut of the extortion, the alert said.<\/p>\n<p>The joint advisory is the latest <a href=\"https:\/\/cyberscoop.com\/tag\/iran\/\">Iranian-backed operation<\/a> highlighted by cybersecurity firms and intelligence agencies, following a slew of reports within the past few weeks. On Wednesday, Microsoft revealed that the <a href=\"https:\/\/cyberscoop.com\/iranian-hackers-tickle-targets-in-us-uae-with-custom-tool-microsoft-says\/\">Iranian actor Peach Sandstorm<\/a> deployed backdoor malware on satellite, oil and natural gas, and communications sectors of the United States and United Arab Emirates.<\/p>\n<p>Last week, national security officials <a href=\"https:\/\/cyberscoop.com\/iran-trump-campaign-hack-odni-statement\/\">pointed the finger at Iran<\/a> for trying to infiltrate the Trump presidential campaign days before <a href=\"https:\/\/cyberscoop.com\/meta-iran-apt42-whatsapp-trump-campaign-hack\/\">Meta deleted several WhatsApp accounts<\/a> associated with the campaign.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The intelligence agencies said Wednesday that the group \u2014 dubbed Pioneer Kitten or Lemon Sandstorm by cybersecurity researchers \u2014 has been operational since 2017, targeting U.S. organizations and municipal governments. Pioneer Kitten doesn\u2019t appear to reveal its Iranian sponsorship and is \u201cintentionally vague as to their nationality and origin\u201d in discussions with ransomware affiliates, the alert said.<\/p>\n<p>The advisory noted that Pioneer Kitten has collaborated with NoEscape, Ransomhouse, and <a href=\"https:\/\/cyberscoop.com\/tag\/alphv\/\">ALPHV<\/a>, also known as BlackCat. ALPHV is one of the more dangerous ransomware affiliates, best known for its February <a href=\"https:\/\/cyberscoop.com\/ransomware-alphv-healthcare-pharmacies\/\">attack on Change HealthCare<\/a> and its involvement in the <a href=\"https:\/\/cyberscoop.com\/com-scattered-spider-tradecraft\/\">Las Vegas casino hacks<\/a> last year. It\u2019s not yet clear which victims were initially accessed by Pioneer Kitten.<\/p>\n<p>Separate from extortion, Pioneer Kitten also conducts cyber activity benefiting its sponsor that is not of significant interest to its ransomware contacts. When not moonlighting, Pioneer Kitten intrudes into the networks of organizations in Israel and Azerbaijan to pilfer \u201csensitive technical data,\u201d the advisory said.<\/p>\n<p>The group uses the Iranian IT company name \u201cDanesh Novin Sahand\u201d as a cover entity, the alert noted, adding that the hackers use internet-scanning tools like Shodan to identify vulnerabilities on connected devices such as Ivanti VPNs and Citrix Netscaler.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.1144708423326\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/iran-cisa-fbi-ransomware-advisory\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Iranian-linked hackers collaborate with ransomware affiliates, feds say | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[950,282,78,452,440,1351,293,669,302,281,513,46],"tags":[955,286,86,454,444,1353,299,671,306,285,517,54],"class_list":["post-5058","post","type-post","status-publish","format-standard","hentry","category-alphv","category-cybercrime","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-data-breaches","category-department-of-defense-dod","category-department-of-homeland-security-dhs","category-federal-bureau-of-investigation-fbi","category-geopolitics","category-hacking","category-iran","category-ransomware","tag-alphv","tag-cybercrime","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-data-breaches","tag-department-of-defense-dod","tag-department-of-homeland-security-dhs","tag-federal-bureau-of-investigation-fbi","tag-geopolitics","tag-hacking","tag-iran","tag-ransomware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/alphv\/\" rel=\"category tag\">ALPHV<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-defense-dod\/\" rel=\"category tag\">Department of Defense (DOD)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal-bureau-of-investigation-fbi\/\" rel=\"category tag\">Federal Bureau of Investigation (FBI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/iran\/\" rel=\"category tag\">Iran<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a>","tag_info":"ransomware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5058"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5058\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5058,"date":"2024-08-28T11:48:21","date_gmt":"2024-08-28T16:48:21","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=81554"},"modified":"2024-08-28T11:48:21","modified_gmt":"2024-08-28T16:48:21","slug":"iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/28\/iranian-linked-hackers-collaborate-with-ransomware-affiliates-feds-say\/","title":{"rendered":"Iranian-linked hackers collaborate with ransomware affiliates, feds say"},"content":{"rendered":"