Albania cut diplomatic ties with Iran and expelled the country’s embassy staff over a major cyberattack nearly two months ago that was allegedly carried out by Tehran on Albanian government websites, the prime minister said Wednesday.
The move by NATO member Albania was the first known case of a country cutting diplomatic relations over a cyberattack.
The White House vowed unspecified retaliation Wednesday against Iran for what it called “a troubling precedent for cyberspace.”
In a statement, the White House said it has had experts on the ground for weeks helping Albania and had concluded Iran was behind the “reckless and irresponsible” attack and subsequent hack-and-leak operation.
The government’s decision was formally delivered to the Iranian Embassy in Tirana, the capital, in an official note, Prime Minister Edi Rama said. All embassy staff, including diplomatic and security personnel, were ordered to leave Albania within 24 hours.
On July 15, a cyberattack temporarily shut down numerous Albanian government digital services and websites.
Rama said an investigation determined that the cyberattack wasn’t carried out by individuals or independent groups, calling it “state aggression.”
“The deep investigation put at our disposal undeniable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran which had involved four groups for the attack on Albania,” Rama said in a video statement.
Iran on Wednesday condemned the diplomats’ expulsion, calling the action ill-considered and short-sighted, according to Iranian state TV.
In a statement, the Iranian Foreign Ministry denied Tehran was behind any cyberattack on Albanian government websites, adding that it’s Iran which is a target of such attacks on its critical infrastructure.
Tirana said it was working with Microsoft and the FBI in an investigation into the cyberattack.
Mandiant, a leading U.S. cybersecurity firm, expressed “moderate confidence” last month that the attackers were acting in support of Tehran’s anti-dissident efforts.
A group calling itself “HomeLand Justice” claimed credit for the cyberattack that used ransomware to scramble data. Ransomware is best known for its use in for-profit criminal extortion, but is being increasingly wielded for political ends, particularly by Iran.
The claim by “HomeLand Justice” came on a Telegram channel in which documents purported to be Albanian residence permits of members of the Iranian opposition group Mujahedeen-e-Khalq group — best known as MEK — were posted, along with video of the ransomware being activated. The channel alleged corruption in the Albanian government and used hashtags including #Manez.
Albania, a NATO member since 2009, shelters about 3,000 Iranian MEK dissidents who live at Ashraf 3 camp in Manez, which is 30 kilometers (19 miles) west of Tirana.
“This activity poses an active threat to public and private organizations in other NATO member states,” Mandiant said. “As negotiations surrounding the Iran nuclear deal continue to stall, this activity indicates Iran may feel less restraint in conducting cyber network attack operations going forward.”
At the time, the Albanian government said the hackers’ methods was identical to attacks last year in other NATO countries, including Germany, Lithuania, the Netherlands and Belgium.
Rama on Wednesday accused Tehran of recruiting one of the most notorious international cyberattack groups that was involved in similar attacks on Israel, Saudi Arabia, United Arab Emirates, Jordan, Kuwait and Cyprus. He said Tirana had shared the data and the investigation results with strategic partners and NATO countries.
The Biden administration said it supported the move by Albania to cut ties with Tehran.
“The United States strongly condemns Iran’s cyberattack,” National Security Council spokesperson Adrienne Watson said in a statement. “We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident.”
“The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” Watson said.
Albanian Foreign Minister Olta Xhacka said Tirana “communicated closely with our partners, at NATO and the European Union, and also at the bilateral level, and asked for their support in Albania’s decision-making and, no doubt, for the future to address such kind of threats the best way possible.”
“The aggressiveness of the attack, the level of attack and moreover the fact that it was a fully unprovoked attack left no space for any other decision,” Xhacka said.
Mandiant Vice President John Hultquist told The Associated Press that the attacks on Albania and an earlier one on Montenegro show how “critical government systems in NATO countries are vulnerable and under attack.”
“The attack on Albania is a reminder that while the most aggressive Iranian cyber activity is generally focused in the Middle East region, it is by no means limited to it,” Hultquist said. “Iran will carry out disruptive and destructive cyberattacks as well as complex information operations globally.”
In July, MEK had planned to hold the Free Iran World Summit at the Manez camp with U.S. lawmakers among the invitees. The meeting was canceled “for security reasons and due to terrorist threats and conspiracies.”
In two separate instances in 2020 and 2018, Tirana expelled four Iranian diplomats for “threatening national security.”
Related: Leaked Files From Offensive Cyber Unit Show Iran’s Interest in Targeting ICS