In a geopolitical “first”, the Albanian government has reacted to a cyber attack on its systems that was attributed to an Iran-backed advanced persistent threat (APT) actor by severing diplomatic ties with Iran, forcing its embassy in Tirana to close, and expelling its diplomatic staff and ambassador.
The July 2022 attack incorporated a combination of a previously unknown backdoor called Chimneysweep, a new variant of the existing Zeroclear malware, and a new ransomware family dubbed Roadsweep, according to Mandiant’s incident response team.
It targeted both members of the Mujahadeen-e-Khalq/People’s Mojahedin Organisation of Iran (MEK), an Iranian opposition group, members of which have found sanctuary in Albania, and the annual Free Iran World Summit, which was to have taken place towards the end of July in the country. Iran’s fundamentalist regime, which came to power in a revolution in 1979, is known to frequently target both ordinary members of the Iranian diaspora and dissidents in exile.
A group calling itself HomeLand Justice claimed responsibility for the attack, which forced the Albanian authorities to suspend access to online public services and other government websites.
In a video address delivered today, Albanian prime minister Edi Rana said there was now undisputable evidence that the cyber attack was a state-sponsored act of aggression, conducted by four groups orchestrated by Iran, which more usually targets organisations in Middle Eastern countries.
“We have informed accordingly our strategic allies, the Nato Member States and other friendly countries, with whom we have shared the irrefutable evidence resulting from the investigation that corroborate the source of the aggression against our country,” said Rana.
“The Council of Ministers has decided on the severance of diplomatic relations with the Islamic Republic of Iran with immediate effect. An official notice of the decision has been sent to the Embassy of the Islamic Republic of Iran, asking that all the diplomatic, technical and administrative, and security staff leave within 24 hours the territory of the Republic of Albania.”
Rana conceded the response was extreme, and not desired, but said it had been forced on the Albanian government, and was fully proportionate to the “gravity and risk” of the attack.
“Failure of this massive attack on our country thanks to the resilience of the systems we have built and the assistance of specialised groups who fought on our side is not the end of the cyber threat, but the clear proof that, thanks to its digital development, Albania is part of the large map of the battle for cyber security,” he said.
“The good news, however, is that we know what to do and how to do it to prevent anyone from harming us, just like we know that we will do the right things in the right way, also because we have the right partners on our side.”
Adrienne Watson, spokesperson for the White House’s National Security Council (NSC), said the US strongly condemned Iran’s cyber attack on a Nato ally.
“For weeks, the US government has been on the ground working alongside private sector partners to support Albania’s efforts to mitigate, recover from, and investigate the 15 July cyber attack that destroyed government data and disrupted government services to the public,” she said.
“We have concluded that the government of Iran conducted this reckless and irresponsible cyber attack and that it is responsible for subsequent hack and leak operations.
“Iran’s conduct disregards norms of responsible peacetime state behaviour in cyber space, which includes a norm on refraining from damaging critical infrastructure that provides services to the public.
“Albania views impacted government networks as critical infrastructure. Malicious cyber activity by a state that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional and global effects; pose an elevated risk of harm to the population; and may lead to escalation and conflict,” she said.
Watson added that the US would take further action to hold Iran accountable for actions that “threaten the security of a US ally and set a troubling precedent for cyber space”.
Mandiant Intelligence vice-president, John Hultquist, characterised Albania’s move as quite possibly the strongest public response to a cyber attack that he had ever seen.
“While we have seen a host of other diplomatic consequences in the past, they have not been as severe or broad as this action,” said Hultquist.
“The attack on Albania is a reminder that while the most aggressive Iranian cyber activity is generally focused in the Middle East region, it is by no means limited to it. Iran will carry out disruptive and destructive cyber attacks as well as complex information operations globally.”
“This incident, and the most recent incident in Montenegro, is also a reminder that major critical government systems in Nato countries are vulnerable and under attack. Even though the incidents are probably unrelated, regular disruptions to government infrastructure are an alarming trend.”
Hultquist cautioned that aggressive Iranian cyber actions look likely to increase in the near term, particularly around the upcoming 2022 midterm elections in the US.