Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft: Multiple Iranian Groups Conducted Cyberattack on Albanian Government

Multiple Iranian hacking groups participated in a recent cyberattack targeting the Albanian government, according to new data from Microsoft’s security research and response teams.

Multiple Iranian hacking groups participated in a recent cyberattack targeting the Albanian government, according to new data from Microsoft’s security research and response teams.

On July 15, 2022, threat actors working on behalf of the government of Iran launched a destructive attack targeting the Albanian government’s websites and public services, taking them offline. The attack had less than 10% total impact on the customer environment.

The campaign consisted of four different stages, with different actors responsible for every one of them: DEV-0861 performed initial compromise and data exfiltration, DEV-0166 stole data, DEV-0133 probed the victim’s infrastructure, and DEV-0842 deployed ransomware and wiper malware.

According to Microsoft, the threat actors engaged in gaining initial access and exfiltrating data are likely associated with EUROPIUM, a threat actor publicly linked to Iran’s Ministry of Intelligence and Security (MOIS).

The company’s report said initial access was likely obtained in May 2021, following the exploitation of CVE-2019-0604, a SharePoint vulnerability patched in March 2019. The threat actor executed code to implant web shells that were then used to upload files, perform reconnaissance, execute commands, and disable antivirus programs.

The adversary consolidated their access in July 2021, and exfiltrated email messages from the victim network between October 2021 and January 2022.

[ READ: Albania Cuts Diplomatic Ties With Iran Over July Cyberattack ]

The same hacking group – DEV-0861 – was observed actively exfiltrating email contents from organizations in the Middle East (including Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE) since at least April 2020.

Advertisement. Scroll to continue reading.

The attack shares the same modus operandi as other cyberattacks attributed to Iranian threat actors, with ransomware being deployed first, and the wiper after. The wiper used the same license key and EldoS RawDisk driver as the ZeroCleare wiper used in mid-2019 to target a Middle East energy company.

As part of that attack, EUROPIUM gained access to the victim’s network roughly one year before a different Iranian nation-state deployed and executed the ZeroCleare wiper.

“The Eldos driver is a legitimate tool that was also abused by the ZeroCleare wiper and was used to delete files, disks, and partitions on the target systems. While ZeroCleare is not widely used, this tool is being shared amongst a smaller number of affiliated actors including actors in Iran with links to MOIS,” Microsoft explains.

The wiper that DEV-0842 deployed in the Albanian government cyberattack was signed with an invalid digital certificate from Kuwait Telecommunications Company KSC, which was used to sign 15 other files, including a binary used in a June 2021 attack on a DEV-0861 victim in Saudi Arabia.

An analysis of the messaging, timing, and target selection of the attack also points to threat actors acting on behalf of the Iranian government, Microsoft says.

“The messaging and target selection indicate Tehran likely used the attacks as retaliation for cyberattacks Iran perceives were carried out by Israel and the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania that seeks to overthrow the Islamic Republic of Iran,” the tech giant notes.

Related: NATO Condemns Alleged Iranian Cyberattack on Albania

Related: Albania Cuts Diplomatic Ties With Iran Over July Cyberattack

Related: Albania Hires US Company to Boost Cybersecurity After Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...