Connect with us

Hi, what are you looking for?



CISA, FBI Detail Iranian Cyberattacks Targeting Albanian Government

Iranian hackers breached Albanian government one year before disruptive attacks

Iranian hackers breached Albanian government one year before disruptive attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory detailing the cyberattacks that Iranian threat actors conducted against the Albanian government in July 2022.

Attributed to state-sponsored Iranian advanced persistent threat (ATP) actors referred to as ‘HomeLand Justice’, the attack disrupted the Albanian government’s websites and services.

As a result of the incident, Albania cut diplomatic ties with Iran and the US announced sanctions against entities in Iran. According to Microsoft, at least four different Iranian threat actors were involved in the hacks.

In a joint advisory this week, CISA and the FBI have shared details on the timeline of activity associated with the incident, as well as technical information on some of the files the hackers used during the attack.

According to the two agencies, the attackers had access to the Albanian government’s network for roughly 14 months before launching the crippling attack, which involved both ransomware and a wiper.

During this timeframe, the attackers periodically accessed compromised email accounts, exfiltrated emails, and conducted credential harvesting, lateral movement, and network reconnaissance.

Advertisement. Scroll to continue reading.

In July 2022, the adversaries deployed ransomware on compromised systems and left anti-Mujahideen E-Khalq (MEK) messages on multiple computer desktops. They also deployed a variant of the ZeroCleare destructive malware.

In addition to ransomware and wiping malware, the attackers were observed using multiple webshells for persistence, as well as relying on RDP, SMB, and FTP for lateral movement. They also connected to IPs associated with the victim’s VPN and used Mimikatz for credential dumping.

In September 2022, after Albania publicly attributed the July attacks to Iran, the threat actors launched a new wave of assaults against the Albanian government, using similar TTPs and malware, CISA and the FBI note.

Related: NATO’s Team in Albania to Help on Iran-Alleged Cyberattack

Related: US Indicts Iranians Who Hacked Power Company, Women’s Shelter

Related: US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.