Multiple Iranian hacking groups participated in a recent cyberattack targeting the Albanian government, according to new data from Microsoft’s security research and response teams.
On July 15, 2022, threat actors working on behalf of the government of Iran launched a destructive attack targeting the Albanian government’s websites and public services, taking them offline. The attack had less than 10% total impact on the customer environment.
The campaign consisted of four different stages, with different actors responsible for every one of them: DEV-0861 performed initial compromise and data exfiltration, DEV-0166 stole data, DEV-0133 probed the victim’s infrastructure, and DEV-0842 deployed ransomware and wiper malware.
According to Microsoft, the threat actors engaged in gaining initial access and exfiltrating data are likely associated with EUROPIUM, a threat actor publicly linked to Iran’s Ministry of Intelligence and Security (MOIS).
The company’s report said initial access was likely obtained in May 2021, following the exploitation of CVE-2019-0604, a SharePoint vulnerability patched in March 2019. The threat actor executed code to implant web shells that were then used to upload files, perform reconnaissance, execute commands, and disable antivirus programs.
The adversary consolidated their access in July 2021, and exfiltrated email messages from the victim network between October 2021 and January 2022.
The same hacking group – DEV-0861 – was observed actively exfiltrating email contents from organizations in the Middle East (including Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE) since at least April 2020.
The attack shares the same modus operandi as other cyberattacks attributed to Iranian threat actors, with ransomware being deployed first, and the wiper after. The wiper used the same license key and EldoS RawDisk driver as the ZeroCleare wiper used in mid-2019 to target a Middle East energy company.
As part of that attack, EUROPIUM gained access to the victim’s network roughly one year before a different Iranian nation-state deployed and executed the ZeroCleare wiper.
“The Eldos driver is a legitimate tool that was also abused by the ZeroCleare wiper and was used to delete files, disks, and partitions on the target systems. While ZeroCleare is not widely used, this tool is being shared amongst a smaller number of affiliated actors including actors in Iran with links to MOIS,” Microsoft explains.
The wiper that DEV-0842 deployed in the Albanian government cyberattack was signed with an invalid digital certificate from Kuwait Telecommunications Company KSC, which was used to sign 15 other files, including a binary used in a June 2021 attack on a DEV-0861 victim in Saudi Arabia.
An analysis of the messaging, timing, and target selection of the attack also points to threat actors acting on behalf of the Iranian government, Microsoft says.
“The messaging and target selection indicate Tehran likely used the attacks as retaliation for cyberattacks Iran perceives were carried out by Israel and the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania that seeks to overthrow the Islamic Republic of Iran,” the tech giant notes.