The Iranian hacker group, who has been attacking corporate VPNs for months, is now hoping to market some of the hacked systems by selling network access to other hackers.

Among Iran’s state-sponsored hacking teams has been seen selling access to endangered corporate networks on an underground hacking forum, cyber-security company Crowdstrike stated in a report now.

The business identified the group with the codename Pioneer Kitten, which is an alternate designation for the group, also called Fox Kitten or Parisite.

The team, which Crowdstrike considers is a builder for the Iranian regime, has spent 2019 and 2020 hacking into corporate networks through vulnerabilities in VPNs and networking equipment, for example:

• Pulse Safe “Connect” business VPNs (CVE-2019-11510)
• Fortinet VPN servers running FortiOS (CVE-2018-13379)
• Palo Alto Networks “Global Protect” VPN servers (CVE-2019-1579)
• Citrix “ADC” servers and Citrix network gateways (CVE-2019-19781)
• F5 Networks BIG-IP load balancers (CVE-2020-5902)

The team has been breaching network devices using the above vulnerabilities, planting backdoors, and then providing access to additional Iranian hacking groups, such as APT33 (Shamoon), Oilrig (APT34), or Chafer, based on reports from cyber-security companies ClearSky and Dragos.

These other groups would come in, expand the “first access” Pioneer Kitten was able to obtain by moving laterally across a network with more sophisticated malware and exploits and then searching and stealing sensitive data likely of interest to the Iranian authorities.

However, in a report today, Crowdstrike claims that Pioneer Kitten has also been seen selling access to a number of those compromised networks on hacking forums, since at least July 2020.

Crowdstrike considers the group is merely attempting to increase its revenue stream and market networks, which don’t have any intelligence value for Iranian intelligence services.

Classic targets of Iranian state-sponsored hacking teams usually include companies and authorities in the United States, Israel, and other Arab countries in the Middle East. Targeted businesses have usually included protection, health care, technology, and government. Anything else is probably out of scope for Iranian authorities hackers, and quite likely to be made accessible on hacking forums to other gangs.

Nowadays, the largest customers of “initial access brokers” (such as Pioneer Kitten) are usually ransomware gangs.