Iranian hackers breached Albanian government one year before disruptive attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory detailing the cyberattacks that Iranian threat actors conducted against the Albanian government in July 2022.
Attributed to state-sponsored Iranian advanced persistent threat (ATP) actors referred to as ‘HomeLand Justice’, the attack disrupted the Albanian government’s websites and services.
As a result of the incident, Albania cut diplomatic ties with Iran and the US announced sanctions against entities in Iran. According to Microsoft, at least four different Iranian threat actors were involved in the hacks.
In a joint advisory this week, CISA and the FBI have shared details on the timeline of activity associated with the incident, as well as technical information on some of the files the hackers used during the attack.
According to the two agencies, the attackers had access to the Albanian government’s network for roughly 14 months before launching the crippling attack, which involved both ransomware and a wiper.
During this timeframe, the attackers periodically accessed compromised email accounts, exfiltrated emails, and conducted credential harvesting, lateral movement, and network reconnaissance.
In July 2022, the adversaries deployed ransomware on compromised systems and left anti-Mujahideen E-Khalq (MEK) messages on multiple computer desktops. They also deployed a variant of the ZeroCleare destructive malware.
In addition to ransomware and wiping malware, the attackers were observed using multiple webshells for persistence, as well as relying on RDP, SMB, and FTP for lateral movement. They also connected to IPs associated with the victim’s VPN and used Mimikatz for credential dumping.
In September 2022, after Albania publicly attributed the July attacks to Iran, the threat actors launched a new wave of assaults against the Albanian government, using similar TTPs and malware, CISA and the FBI note.
Related: NATO’s Team in Albania to Help on Iran-Alleged Cyberattack
Related: US Indicts Iranians Who Hacked Power Company, Women’s Shelter
Related: US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks
More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
