Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

CISA, FBI Detail Iranian Cyberattacks Targeting Albanian Government

Iranian hackers breached Albanian government one year before disruptive attacks

Iranian hackers breached Albanian government one year before disruptive attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory detailing the cyberattacks that Iranian threat actors conducted against the Albanian government in July 2022.

Attributed to state-sponsored Iranian advanced persistent threat (ATP) actors referred to as ‘HomeLand Justice’, the attack disrupted the Albanian government’s websites and services.

As a result of the incident, Albania cut diplomatic ties with Iran and the US announced sanctions against entities in Iran. According to Microsoft, at least four different Iranian threat actors were involved in the hacks.

In a joint advisory this week, CISA and the FBI have shared details on the timeline of activity associated with the incident, as well as technical information on some of the files the hackers used during the attack.

According to the two agencies, the attackers had access to the Albanian government’s network for roughly 14 months before launching the crippling attack, which involved both ransomware and a wiper.

During this timeframe, the attackers periodically accessed compromised email accounts, exfiltrated emails, and conducted credential harvesting, lateral movement, and network reconnaissance.

In July 2022, the adversaries deployed ransomware on compromised systems and left anti-Mujahideen E-Khalq (MEK) messages on multiple computer desktops. They also deployed a variant of the ZeroCleare destructive malware.

Advertisement. Scroll to continue reading.

In addition to ransomware and wiping malware, the attackers were observed using multiple webshells for persistence, as well as relying on RDP, SMB, and FTP for lateral movement. They also connected to IPs associated with the victim’s VPN and used Mimikatz for credential dumping.

In September 2022, after Albania publicly attributed the July attacks to Iran, the threat actors launched a new wave of assaults against the Albanian government, using similar TTPs and malware, CISA and the FBI note.

Related: NATO’s Team in Albania to Help on Iran-Alleged Cyberattack

Related: US Indicts Iranians Who Hacked Power Company, Women’s Shelter

Related: US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...