In mid-July, a cyberattack on the Albanian government crippled state websites and public services for hours. With the Russian war raging in Ukraine, the Kremlin may seem like the most likely suspect. But research released Thursday by threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran's spy operations and digital interference have been seen around the world, Mandiant researchers say a disruptive attack by Iran on a NATO member is a notable escalation. /p>
The digital attacks targeting Albania on July 17 preceded the "Free Iran Global Summit", a conference to be held in the western Albanian town of Manëz on July 23 and July 24. The summit was affiliated with the Iranian opposition. Mujahadeen-e-Khalq group, or the People's Mojahedin Organization of Iran (often abbreviated as MEK, PMOI or MKO). The conference was postponed the day before it opened due to reported and unspecified “terrorist” threats.
Mandiant researchers claim that the attackers deployed ransomware from the Roadsweep family and may also have used a previously unknown backdoor dubbed Chimneysweep as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and the activity of actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.
"This is an aggressive escalation step that we must acknowledge," said John Hultquist, vice president of intelligence at Mandiant. "Iranian espionage happens all the time all over the world. The difference here is that it is not espionage. It is disruptive attacks, affecting the lives of ordinary Albanians who live within the NATO alliance. And it was basically a coercive attack to force the government's hand."
Iran has waged aggressive hacking campaigns in the Middle East and particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively working to gain access to a range of networks related to transport, healthcare and public health entities, among others. "These Iranian government-sponsored APT actors can leverage this access for tracking operations, such as data exfiltration or encryption, ransomware, and extortion," the Cybersecurity Agency wrote at the time. and Department of Homeland Security Infrastructure Security.
Tehran has limited the scope of its attacks, however, largely sticking to data exfiltration and reconnaissance on the global stage. The country has, however, been involved in influence operations, disinformation campaigns, and efforts to meddle in foreign elections, including targeting the United States.
“We got used to seeing Iran being aggressive in the Middle East where that activity never stopped, but outside the Middle East they were much more restrained,” says Hultquist. “I fear they are no longer willing to leverage their capabilities outside the region. And they clearly have no qualms about targeting NATO states, which suggests to me that whatever means of deterrence that we believe exist between us and them, they may not exist at all."
With Iran claiming it now has the capability to produce nuclear warheads, and officials from the country meeting with US officials in Vienna over a possible relaunch of the 2015 nuclear deal between the countries, any signal about Iran's possible intentions and risk tolerance when it comes to dealing with NATO is important.
In mid-July, a cyberattack on the Albanian government crippled state websites and public services for hours. With the Russian war raging in Ukraine, the Kremlin may seem like the most likely suspect. But research released Thursday by threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran's spy operations and digital interference have been seen around the world, Mandiant researchers say a disruptive attack by Iran on a NATO member is a notable escalation. /p>
The digital attacks targeting Albania on July 17 preceded the "Free Iran Global Summit", a conference to be held in the western Albanian town of Manëz on July 23 and July 24. The summit was affiliated with the Iranian opposition. Mujahadeen-e-Khalq group, or the People's Mojahedin Organization of Iran (often abbreviated as MEK, PMOI or MKO). The conference was postponed the day before it opened due to reported and unspecified “terrorist” threats.
Mandiant researchers claim that the attackers deployed ransomware from the Roadsweep family and may also have used a previously unknown backdoor dubbed Chimneysweep as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and the activity of actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.
"This is an aggressive escalation step that we must acknowledge," said John Hultquist, vice president of intelligence at Mandiant. "Iranian espionage happens all the time all over the world. The difference here is that it is not espionage. It is disruptive attacks, affecting the lives of ordinary Albanians who live within the NATO alliance. And it was basically a coercive attack to force the government's hand."
Iran has waged aggressive hacking campaigns in the Middle East and particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively working to gain access to a range of networks related to transport, healthcare and public health entities, among others. "These Iranian government-sponsored APT actors can leverage this access for tracking operations, such as data exfiltration or encryption, ransomware, and extortion," the Cybersecurity Agency wrote at the time. and Department of Homeland Security Infrastructure Security.
Tehran has limited the scope of its attacks, however, largely sticking to data exfiltration and reconnaissance on the global stage. The country has, however, been involved in influence operations, disinformation campaigns, and efforts to meddle in foreign elections, including targeting the United States.
“We got used to seeing Iran being aggressive in the Middle East where that activity never stopped, but outside the Middle East they were much more restrained,” says Hultquist. “I fear they are no longer willing to leverage their capabilities outside the region. And they clearly have no qualms about targeting NATO states, which suggests to me that whatever means of deterrence that we believe exist between us and them, they may not exist at all."
With Iran claiming it now has the capability to produce nuclear warheads, and officials from the country meeting with US officials in Vienna over a possible relaunch of the 2015 nuclear deal between the countries, any signal about Iran's possible intentions and risk tolerance when it comes to dealing with NATO is important.
Enlarge / Tirane, Albania.
Pawel Toczynski | Getty Images
