FBI and CISA has released a joint statement describing the recent cyberattacks against the Albanian government
The recent cyberattacks against the Albanian government in July and September are described in detail in this joint cybersecurity alert from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
The timeline of the observed behavior is provided in this warning, commencing with the initial access and concluding with the encryption and wiper actions. Appendices A and B can find additional details on the files that the offenders used to target and harm the victim organization online.
The Government of Albania was the target of a damaging cyberattack in July 2022 by Iranian state actors operating online under the name “Homeland Justice,” which rendered websites and services inaccessible. According to an FBI investigation, Iranian state-sponsored cyber criminals first gained access to the victim’s network around 14 months before unleashing the catastrophic cyberattack that comprised malware that erased the victim’s hard drive and ransomware-style file encryption.
The actors had constant network access for around a year, periodically accessing and stealing email information. Iranian state cyber actors conducted lateral maneuvers, network reconnaissance, and credential harvesting on the networks of the Albanian government between May and June 2022.
The attackers transmitted malware over the networks in July 2022 and placed a message on computers criticizing Mujahideen E-Khalq (MEK). The thieves unleashed a damaging variant of the ZeroCleare virus when network defenses became aware of and started responding to the ransomware activity.
To spread misinformation about the MEK, HomeLand Justice established a website and many social media accounts in June 2022. Homeland Justice claimed responsibility for the hack of the Albanian government’s infrastructure on July 18, 2022. Homeland Justice uploaded videos of the cyberattack to their website on July 23, 2022.
From the end of July to the middle of August 2022, HomeLand Justice-affiliated social media accounts consistently promoted the release of Albanian government documents, solicited respondents’ choices for which documents they wanted HomeLand Justice to release, and then released those documents—either in a.zip file or a video of a screen recording with the documents shown.
Iranian cyber attackers continued to target the Albanian government in September 2022 using malware and TTP that resembled those employed in the July operations. These undoubtedly occurred as retaliation for the severing of diplomatic ties between Albania and Iran as well as the public blaming of the July hacking.