Iranian hackers breached Albanian government one year before disruptive attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory detailing the cyberattacks that Iranian threat actors conducted against the Albanian government in July 2022.
Attributed to state-sponsored Iranian advanced persistent threat (ATP) actors referred to as ‘HomeLand Justice’, the attack disrupted the Albanian government’s websites and services.
As a result of the incident, Albania cut diplomatic ties with Iran and the US announced sanctions against entities in Iran. According to Microsoft, at least four different Iranian threat actors were involved in the hacks.
In a joint advisory this week, CISA and the FBI have shared details on the timeline of activity associated with the incident, as well as technical information on some of the files the hackers used during the attack.
According to the two agencies, the attackers had access to the Albanian government’s network for roughly 14 months before launching the crippling attack, which involved both ransomware and a wiper.
During this timeframe, the attackers periodically accessed compromised email accounts, exfiltrated emails, and conducted credential harvesting, lateral movement, and network reconnaissance.
In July 2022, the adversaries deployed ransomware on compromised systems and left anti-Mujahideen E-Khalq (MEK) messages on multiple computer desktops. They also deployed a variant of the ZeroCleare destructive malware.
In addition to ransomware and wiping malware, the attackers were observed using multiple webshells for persistence, as well as relying on RDP, SMB, and FTP for lateral movement. They also connected to IPs associated with the victim’s VPN and used Mimikatz for credential dumping.
In September 2022, after Albania publicly attributed the July attacks to Iran, the threat actors launched a new wave of assaults against the Albanian government, using similar TTPs and malware, CISA and the FBI note.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: