A hacker group associated with the Iranian government is selling “access to compromised networks on an underground forum,” likely without Tehran’s blessing, according to research by threat intelligence firm CrowdStrike.
Why it matters: That these Iranian hackers were apparently caught trying to make money on the side may show the dangers of relying on likely underpaid contractors to conduct sensitive offensive cyber operations.
What’s happening: The group, which CrowdStrike has named “Pioneer Kitten,” has been active since 2017, with its last known activity occurring in July 2020.
- The group has focused on hacking North American and Israeli targets in the “technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance, and retail” sectors, says CrowdStrike, with a particular focus on government, defense and tech firms.
- Pioneer Kitten often focuses on targets of opportunity, says CrowdStrike, such as unpatched devices, showing that you don’t need to employ advanced tactics to achieve operational results.
The intrigue: In late July, CrowdStrike observed someone associated with Pioneer Kitten selling access to hacked networks online.
- CrowdStrike believes this commercial activity would not have been sanctioned by Tehran and that Pioneer Kitten may therefore consist of contractors associated with the Iranian government — not actual intelligence officers.