U.S. and U.K. Blame Iran for ‘Reckless’ Cyberattack on Albanian Government

Man typing at his laptop computer at night - stock photo
Westend61/Getty Images

British Foreign Secretary James Cleverly said on Wednesday that his government’s National Cyber Security Center has determined hackers linked to the Iranian regime were “almost certainly” behind a massive cyberattack against the Albanian government in July. Albania severed diplomatic ties with Iran over the incident, enraging Tehran.

“Iran’s reckless actions showed a blatant disregard for the Albanian people, severely restricting their ability to access essential public services,” Cleverly said.

“The U.K. is supporting our valuable partner and NATO ally. We join Albania and other allies in exposing Iran’s unacceptable actions,” he declared.

The U.S. government also “strongly condemned” the attack and called for Iran to be “held accountable for this unprecedented cyber incident.”

“The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” the White House said on Wednesday.

The cyberattack occurred on July 15, shutting down a number of Albanian government websites and online services. The attackers made extensive use of ransomware, a viral attack that makes data on the targeted system impossible to access unless the hackers provide decryption keys to the victims. 

Ransomware was originally popular with criminal gangs – including state-sponsored operations – who extort payments from their victims in exchange for the keys to unlock their data, but it has also been employed in purely destructive terrorist attacks, with no offer of decryption made to the victims. 

Microsoft warned on Thursday that Iranian threat groups have grown particularly aggressive with ransomware. The Mandiant cybersecurity firm, which investigated the Albania attack, released an extensive report this week on the activities of APT42, “an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.”

A group calling itself “HomeLand Justice” claimed responsibility for the attack, presenting itself on social media as a vigilante organization striking out against corruption in the Albanian government. The group posted documents purportedly stolen from members of Iranian resistance groups living in Albania.

Mandiant investigated the attack and concluded in early August that “HomeLand Justice” was likely a front for Iranian state-linked hackers. 

Among other evidence, the hackers employed malware that has been deployed by “Iran-nexus threat actors” in attacks across the Middle East over the past two years. 

Furthermore, the Albanian city hit hardest by the cyberattack – Durres, called out by name in the ransom message displayed on infected computers – was a week away from hosting an Iranian opposition conference called the “World Summit of Free Iran.” The conference was subsequently canceled due to terrorist threats.

Iran has been angry with Albania since 2014 for allowing thousands of members of an outlawed opposition group called the Mujahideen-e-Khalq (MEK) to settle near Durres. Albanian security officials say they have thwarted numerous efforts by Iranian agents to attack the MEK settlement over the years.

Mandiant observed dryly:

The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups’ conference was set to take place would be a notably brazen operation by Iran-nexus threat actors.

Mandiant analysts further speculated Iran was growing more aggressive as negotiations to restore its extremely lucrative nuclear deal with the United States faltered.

The Albanian government reached similar conclusions, and on Wednesday, it made history by becoming the first state to sever diplomatic ties with a foreign government over a cyberattack.

Albanian Prime Minister Edi Rama said a note was formally delivered to the Iranian embassy in the capital of Tirana, instructing all personnel to leave the country within 24 hours.

“The deep investigation put at our disposal undeniable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran which had involved four groups for the attack on Albania,” Rama said.

“The government has decided with immediate effect to end diplomatic relations with the Islamic Republic of Iran,” he declared.

Rama described the action as a “fully proportionate” response to an attack that “threatened to paralyze public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country.”

“The aggressiveness of the attack, the level of attack and moreover the fact that it was a fully unprovoked attack left no space for any other decision,” added Albanian Foreign Minister Olta Xhacka.

The Albanian government announced it is working with Microsoft and the FBI to further investigate the cyberattack. Both Albanian and American officials confirmed that U.S. cybersecurity personnel have been on the scene in Albania for the past few weeks.

“This is possibly the strongest public response to a cyberattack we have ever seen. While we have seen a host of other diplomatic consequences in the past, they have not been as severe or broad as this action,” Mandiant Vice President of Intelligence John Hultquist remarked.

Albanian counterterrorism police arrived at the Iranian embassy on Thursday, sending a squad of police equipped with masks, helmets, and automatic rifles to sweep the premises shortly after two cars with Iranian diplomatic plates departed. Reporters on the scene observed the Iranians burning a copious amount of documents before they left.

On Wednesday, Iran “strongly condemned” Albania’s actions, rejecting the cyberattack allegations as “baseless claims.”

COMMENTS

Please let us know if you're having issues with commenting.