Iranian Hacking Group Attacking F5 Networks. The FBI Is Watching.

August 10, 2020 Topic: Security Region: Middle East Blog Brand: The Buzz Tags: MilitaryTechnologyWeaponsIranCyberattacks

Iranian Hacking Group Attacking F5 Networks. The FBI Is Watching.

While the FBI warning didn’t indicate whether any companies had been breached in a recent cyberattack, sources told ZDNet that Fox Kitten has been successful in cyberattacks against BIG-IP devices in at least two companies this year.

While an attack coming from a group known as “Fox Kitten” might not sound all that bad, the group—which is also known as Parisite—has ties to the Iranian government and is even considered the Islamic Republic’s “spear tip” when it comes to such attacks against western interests. This is the group that sources have suggested are waging a campaign directed at the U.S. private and government sector according to an alert sent out by the FBI last week.

Sources reportedly told ZDNet on Monday that the group is tracked by the cybersecurity community under the codenames Fox Kitten and Parisite, and that its primary task is providing an “initial beachhead” for other Iranian hacking groups, such as APT33 (Shamoon), Oilrig (APT34) or Chafer.

The FBI issued the alert last week and warned companies that Fox Kitten has upgraded its attack arsenal to include an exploit for CVE-2020-5902, a vulnerability disclosed in July that could impact BIG-IP, which is a popular multi-purpose networking device manufactured by F5 Networks. That technology is widely used in data centers and cloud environments.

The FBI has instructed companies to patch their on-premise BIG-IP devices as a preventative measure against such cyberattacks. While the FBI warning didn’t indicate whether any companies have been breached in a recent cyberattack, sources told ZDNet that Fox Kitten has been successful in cyberattacks against BIG-IP devices in at least two companies this year.

More worrisome is that the Iranian group doesn’t seem to be the only bad actor that has targeted the vulnerability with BIG-IP, and multiple groups have exploited the bug since the details of it became public. 

Force-Multiplier Attack 

Such cyberattacks are being conducted by Iran because it can strike western interests in ways that its military cannot. Security experts have seen this as a top concern facing the world right now.

“The risk of cyber warfare is on par with nuclear risk and climate change—and it may even pose a greater risk than both,” warned Tal Zamir, co-founder and CEO of Hysolate.

“A decade ago, cyber threats had somewhat manageable impacts—data theft that would rock the stability of the organization, or monetary loss that would affect performance and a company’s stock price for a couple of years,” Zamir told the National Interest via email. “Today, more cyber threats are causing business disruption than data theft and monetary loss, combined.”

Low-Hanging Fruit 

The type of targets that Fox Kitten goes after only reinforce the argument that this is a state-sponsored cyberattack—one that could cause chaos rather than being about financial gain. 

“Given the enterprise capabilities of the F5 solutions being exploited, the organizations targeted by the Iranian group are mainly large corporations and government organizations,” explained Charles King, principal analyst at Pund-IT. 

“In essence, this is a modern-day version of Willie Sutton’s response to a reporter’s question about why he robbed banks: ‘Because that’s where the money is,’” King told the National Interest.

However, as noted, this isn’t actually about money but access to information.

“The FBI’s warning of Iranian hackers tactics is yet the latest confirmation that attackers always look for the easiest way to establish their foothold, which happen to be these vulnerable endpoints,” added Zamir. “Vulnerabilities in hardware devices such as these are a common ‘low hanging fruit’ for attackers. In fact, we must not forget that endpoints (laptops/desktops) are one of the most commonly targeted devices by attackers—70 percent of breaches start on the endpoint.”

Increased Threat Vectors 

The other danger is that hacker groups continue to seek out the vulnerability that is essentially a digital “keys to the kingdom,” and with that real havoc can be conducted by the attackers.

“Once hackers successfully gain entrance, they implement a backdoor or web shell that acts as a gateway into the network,” said King. “At that point, the hackers can explore files, data and other network-accessible materials, and copy or remove what they like. Additionally, they could potentially lockdown the network as part of a ransomware attack.”

As with everything “cyber” today, a little bit of preparation can ensure that an organization doesn’t have to deal with a lot of “clean up” and “recovery” on the other end.

“Organizations are advised to inventory and assess the security of all of the connected devices being used—everything from access card systems and connected security cameras to traditional connected devices like endpoints and network access control systems,” said Zamir. “To ensure corporate data is protected without reducing user productivity, laptops and computers should be equipped with a secure, isolated operating system from which to access sensitive databases and systems.”

Peter Suciu is a Michigan-based writer who has contributed to more than four dozen magazines, newspapers and websites. He is the author of several books on military headgear including A Gallery of Military Headdress, which is available on 

Image: Reuters