Pioneer Kitten: A New Iranian Cyber Threat Group Emerges

U.S. Cyber Command is warning the private sector about the “reckless” activities of a new Iranian hacker group. According to both the cybersecurity firm Crowdstrike and the FBI, Pioneer Kitten, as the group is known, poses a particularly significant national security threat not only because its targets possess sensitive information sought by the regime in Iran, but also because it sells access to compromised systems.

Active since at least 2017, Pioneer Kitten, also known as Fox Kitten or Parisite, targets primarily Israeli and U.S. entities using known but only recently disclosed vulnerabilities in remote external services and virtual private networks. The group accomplishes this task through a tactic called secure shell tunneling, which allows the attacker to use stolen credentials to bypass a company’s firewall, remotely connect to a secure computer network, and export sensitive data.

Pioneer Kitten uses open-source tools, not zero-day exploits, thus leveraging the delay between vulnerability disclosures and when large companies patch their systems. While Pioneer Kitten is opportunistic and has targeted companies in diverse sectors ranging from healthcare to manufacturing, technology, and defense, Crowdstrike assesses that all of the targets have one thing in common: They possess the type of sensitive information that Iranian intelligence seeks.

One former U.S. government cyber analyst explained that this group acts as the tip of the spear, providing a beachhead for other Iranian cyber threat actors to exploit. Industrial cybersecurity firm Dragos assesses that the group “serves as the initial access group and enables further operations” for other Iranian threat actors. In other words, Pioneer Kitten digs the tunnel and then lets other Iranian hacker groups come in to gather data or plant malware.

At the same time, however, the group appears to be engaged in activities that would undermine its utility to the Iranian government. U.S. Cyber Command confirmed that the group has tried to sell access “despite likely negative impacts to potential intelligence collection.” Hackers looking to make a quick sale will often advertise their access controls to other hackers on hacker forums.

Astute network defenders patrol these forums looking for advertised credentials to their networks so that they can suspend that access point and patch the computer network, which will kick anyone using that access point off of the network. Concomitantly, if Pioneer Kitten sells access to clumsier criminal hackers, network defenders will be more likely to discover not only the criminals but also the Iranian intelligence assets and kick them both out of the network.

Pioneer Kitten’s conduct leads Crowdstrike and CYBERCOM to conclude that while the group is aligned with and working on behalf of the regime in Iran, it is not a government entity. This view is consistent with prior assessments that Tehran depends on contractors and domestic hacking groups to conduct cyber operations on behalf of the state.

This structure forces the United States to continually reassess the tools it uses to combat malign cyber activity. To date, Washington has relied heavily on indictments and sanctions to punish and deter Iranian cyberattacks. Indictments, however, may have limited value against individual actors whom their government will not extradite. Likewise, while sanctions against individual hackers and regime decisionmakers are important tools for persuading actors to adhere to cyber “norms and punish[ing] those who violate them,” according to the Cyberspace Solarium Commission, it is not clear that they have changed Iran’s – or any other nation state’s – cost-benefit analysis.

Therefore, U.S. and allied national security may be better served if Washington also focuses on coordinating with the tech industry and the broader private sector to minimize the delay between vulnerability disclosure and system patching. In so doing, the United States can ensure that actors such as Pioneer Kitten find that their tunnels lead to nowhere.

Annie Fixler is deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. For more analysis from Annie, Trevor, and CCTI, please subscribe HERE. Follow Annie and Trevor on Twitter @afixler and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.