In mid-July, a The cyber attack on the Albanian government knocked out state websites and public services for hours. With Russia’s war wreaking havoc in Ukraine, the Kremlin might seem the most likely suspect. But research released Thursday by threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran’s espionage operations and digital meddling have surfaced around the world, Mandiant researchers say a disruptive attack by Iran on a NATO member is a notable escalation.
The July 17 cyber attacks against Albania came ahead of the “Free Iran World Summit,” a conference scheduled for the western Albanian city of Manëz on July 23-24 . The summit was affiliated with the Iranian opposition group Mujahideen-e-Khalq, or the People’s Mojahideen Organization of Iran (often abbreviated MEK, PMOI or MKO). The conference was postponed the day before it was due to begin due to reported and unspecified “terrorist” threats.
Mandiant researchers say the attackers deployed ransomware from the Roadsweep family and may have also used a previously unknown backdoor called Chimneysweep, as well as a new strain of the Zeroclear cleaner. Previous use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware memo and the activity of actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.
“This is an aggressive escalating step that we have to recognize,” says John Hultquist, Mandiant’s vice president of intelligence. “Iranian espionage happens all the time around the world. The difference here is that this is not espionage. These are disruptive attacks, affecting the lives of everyday Albanians living within the NATO alliance. And it was essentially a coercive attack to force the government’s hand.”
Iran has conducted aggressive hacking campaigns in the Middle East and particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively working to gain access to a range of networks related to transportation, healthcare and public health entities, among others . “Such Iranian government-sponsored APT actors may leverage this access for tracking operations, including data exfiltration or encryption, ransomware, and extortion,” the Cybersecurity and Infrastructure Agency wrote. Department of Homeland Security at the time.
However, Tehran has limited how far its attacks have gone, largely sticking to data exfiltration and reconnaissance on the global stage. The country has, however, engaged in influence operations, disinformation campaigns and efforts to interfere in foreign elections, including the US.
“We’ve gotten used to seeing Iran being aggressive in the Middle East, where that activity has never stopped, but outside the Middle East they’ve been much more moderate,” Hultquist says. “I am concerned that they may be more willing to take their capability outside the region. And they clearly have no qualms about targeting NATO states, which suggests to me that any element deterrent that we believe exists between us and they may not exist at all.”
With Iran claiming it now has the ability to produce nuclear warheads, and representatives of the country meeting with US officials in Vienna about a possible revival of the 2015 nuclear deal between the countries, any signal about possible intentions of Iran and risk tolerance when it comes. dealing with NATO are important.