Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft: Multiple Iranian Groups Conducted Cyberattack on Albanian Government

Multiple Iranian hacking groups participated in a recent cyberattack targeting the Albanian government, according to new data from Microsoft’s security research and response teams.

Multiple Iranian hacking groups participated in a recent cyberattack targeting the Albanian government, according to new data from Microsoft’s security research and response teams.

On July 15, 2022, threat actors working on behalf of the government of Iran launched a destructive attack targeting the Albanian government’s websites and public services, taking them offline. The attack had less than 10% total impact on the customer environment.

The campaign consisted of four different stages, with different actors responsible for every one of them: DEV-0861 performed initial compromise and data exfiltration, DEV-0166 stole data, DEV-0133 probed the victim’s infrastructure, and DEV-0842 deployed ransomware and wiper malware.

According to Microsoft, the threat actors engaged in gaining initial access and exfiltrating data are likely associated with EUROPIUM, a threat actor publicly linked to Iran’s Ministry of Intelligence and Security (MOIS).

The company’s report said initial access was likely obtained in May 2021, following the exploitation of CVE-2019-0604, a SharePoint vulnerability patched in March 2019. The threat actor executed code to implant web shells that were then used to upload files, perform reconnaissance, execute commands, and disable antivirus programs.

The adversary consolidated their access in July 2021, and exfiltrated email messages from the victim network between October 2021 and January 2022.

[ READ: Albania Cuts Diplomatic Ties With Iran Over July Cyberattack ]

The same hacking group – DEV-0861 – was observed actively exfiltrating email contents from organizations in the Middle East (including Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE) since at least April 2020.

The attack shares the same modus operandi as other cyberattacks attributed to Iranian threat actors, with ransomware being deployed first, and the wiper after. The wiper used the same license key and EldoS RawDisk driver as the ZeroCleare wiper used in mid-2019 to target a Middle East energy company.

As part of that attack, EUROPIUM gained access to the victim’s network roughly one year before a different Iranian nation-state deployed and executed the ZeroCleare wiper.

“The Eldos driver is a legitimate tool that was also abused by the ZeroCleare wiper and was used to delete files, disks, and partitions on the target systems. While ZeroCleare is not widely used, this tool is being shared amongst a smaller number of affiliated actors including actors in Iran with links to MOIS,” Microsoft explains.

The wiper that DEV-0842 deployed in the Albanian government cyberattack was signed with an invalid digital certificate from Kuwait Telecommunications Company KSC, which was used to sign 15 other files, including a binary used in a June 2021 attack on a DEV-0861 victim in Saudi Arabia.

An analysis of the messaging, timing, and target selection of the attack also points to threat actors acting on behalf of the Iranian government, Microsoft says.

“The messaging and target selection indicate Tehran likely used the attacks as retaliation for cyberattacks Iran perceives were carried out by Israel and the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania that seeks to overthrow the Islamic Republic of Iran,” the tech giant notes.

Related: NATO Condemns Alleged Iranian Cyberattack on Albania

Related: Albania Cuts Diplomatic Ties With Iran Over July Cyberattack

Related: Albania Hires US Company to Boost Cybersecurity After Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.