Stolen Corporate Network Credentials on Sale

Pioneer Kitten (aka Fox Kitten) is known for using open-source tools to compromise remote external services and infiltrating corporate networks.

What happened?

The Iranian APT group has been attacking corporate VPNs over the past months, and was recently seen selling corporate-network credentials on hacker forums.
  • Pioneer Kitten’s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government.
  • According to Crowdstrike, this indicates that the APT group is probably looking out for an additional source of income, besides its targeted intrusions in support of the Iranian government.

Targeted entities

Active since at least 2017, Pioneer Kitten is primarily interested in cyberespionage to offer an edge to the Iranian intelligence team.
  • In early-August 2020, Pioneer Kitten was found attacking the US private and government sector, with a primary task of providing an initial beachhead to other Iranian hacking groups, namely APT33 (Shamoon), Oilrig (APT34), or Chafer.
  • The group mainly targets the government, defense, technology, and healthcare sectors across North America and Israel.
  • Besides it has been accused of planting backdoors in aviation, retail, media, and engineering as well.


Mode of operation

  • For network intrusion, Pioneer Kitten relies on SSH tunneling, open-source tools, and a custom tool called SSHMinion.
  • The group leverages several critical exploits in commercial VPNs and networking equipment, including Pulse Secure Connect enterprise VPNs (CVE-2019-11510), Citrix servers and network gateways (CVE-2019-19781), and F5 Networks BIG-IP load balancers (CVE-2020-5902).

The bottom line

The sale of stolen data on hacker forums by Pioneer Kitten is a prominent risk for organizations. As their corporate secrets are commercially available, this may result in several additional threats or risks for the organizations. To reduce such risks, organizations are recommended to update their security credentials at regular intervals and keep assessing their security infrastructure.