CISA Advisory – Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations

CISA, the FBI, and the Department of Defense Cyber Crime Center (DC3) have issued a joint Cybersecurity Advisory: “Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations.” The advisory aims to alert network defenders about ongoing threats from a group of Iran-based cyber actors known to the private sector as Pioneer Kitten, Parisite, Rubidium, and Lemon Sandstorm. As late as August 2024, this group has been targeting U.S. and foreign organizations in multiple sectors, including education, finance, healthcare, and defense, as well as local government entities. It is believed the groups methods aim to gain network access to collaborate with ransomware affiliates while also conducting computer network exploitation (CNE) activities to support the Government of Iran.

The timing of this advisory coincides with additional research on Iranian-based cyber threats. Notably, yesterday, Microsoft published its report on Peach Sandstorm and Google Cloud’s Mandiant published a report on an Iranian counterintelligence operation.

CISA and partners encourage critical infrastructure organizations to review and implement the mitigations provided in this joint advisory to reduce the likelihood and impact of ransomware incidents. For more information on Iranian state-sponsored threat actor activity, see CISA’s Iran Cyber Threat Overview and Advisories page. 

See #StopRansomware along with the updated #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.