Names | Parisite (Dragos) Fox Kitten (ClearSky) Pioneer Kitten (Crowdstrike) Cobalt Foxglove (SecureWorks) Rubidium (Microsoft) UNC757 (?) Lemon Sandstorm (Microsoft) | |
Country | Iran | |
Motivation | Information theft and espionage | |
First seen | 2017 | |
Description | “This group has operated since at least 2017 based on infrastructure Dragos identified,” the report explained. “Parisite serves as the initial access group and enables further operations for APT 33, Elfin, Magnallium.” (ClearSky) During the last quarter of 2019, ClearSky research team has uncovered a widespread Iranian offensive campaign which we call “Fox Kitten Campaign”; this campaign is being conducted in the last three years against dozens of companies and organizations in Israel and around the world. Though the campaign, the attackers succeeded in gaining access and persistent foothold in the networks of numerous companies and organizations from the IT,Telecommunication,Oil and Gas, Aviation, Government, and Security sectors around the world. During our analysis, we have found an overlap, with medium-high probability, between this campaign’s infrastructure and the activity of an Iranian offensive group OilRig, APT 34, Helix Kitten, Chrysene. Additionally, we have identified, with medium probability, a connection between this campaign and the APT 33, Elfin, Magnallium and Chafer, APT 39 groups.The campaign was first revealed by Dragos, named “Parisite”and attributed to APT33; we call the comprehensive campaign revealed in this report “Fox Kitten”. The initial breach of the targeted organizations was performed, in most cases, by exploiting 1-day vulnerabilities in different VPN services such as: Pulse Secure VPN, Fortinet VPN, and Global Protect by Palo Alto Networks. Upon gaining foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets. At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination, and filtering of sensitive, valuable information from every targeted organization.The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks. | |
Observed | Sectors: Aviation, Chemical, Energy, Defense, Engineering, Financial, Government, Healthcare, IT, Media, Manufacturing, Oil and gas, Retail, Telecommunications. Countries: Australia, Austria, Finland, France, Germany, Hungary, Israel, Italy, Kuwait, Lebanon, Malaysia, Poland, Saudi Arabia, UAE, USA. | |
Tools used | FRP, Invoke the Hash, JuicyPotato, Ngrok, Pay2Key, Port.exe, POWSSHNET, Plink, PuTTY, Serveo, SSHMinion, STSRCheck. | |
Operations performed | Late 2019 | “Fox Kitten” Campaign <https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf> |
Jul 2020 | In late July 2020, an actor assessed to be associated with PIONEER KITTEN was identified as advertising to sell access to compromised networks on an underground forum. <https://www.crowdstrike.com/blog/who-is-pioneer-kitten/> | |
Sep 2020 | This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. <https://us-cert.cisa.gov/ncas/alerts/aa20-259a> | |
Nov 2020 | Pay2Kitten – Fox Kitten 2 <https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf> | |
Information | <https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/> <https://threatpost.com/oil-and-gas-specialist-apt-pivots-to-u-s-power-plants/151699/> <https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf> <https://www.crowdstrike.com/blog/who-is-pioneer-kitten/> <https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a> <https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0117/> |
Last change to this card: 23 October 2024
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |