FBI-aided investigation into the recent massive cyber attacks in Albania says Iranian hackers accessed Albanian systems a full 14 months ago.
A digital screen displays a live cyber hack attack during a press conference at the Federal Criminal Police Office (BKA) in Wiesbaden, Germany, 11 November 2019. Photo: EPA-EFE/RONALD WITTEK
A report by the FBI and the Cybersecurity and Infrastructure Security Agency, CISA, published on Wednesday, on the wave of hacking attacks in Albania, says Iranian attackers gained access to Albanian systems some 14 months ago, long before the actual attacks started.
The first cyber-attack was reported on July 13, when Albanian government services became unavailable for some days.
“An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the [July] destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware,” the report says.
“The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating email content,” it adds.
From May to June 2022, “Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks.” it continues.
In June and August, messages against the Iranian dissident group hosted in Albania, the People’s Mujahedin of Iran, MEK, were released.
The hackers also posted polls on their channels, the website called “Homeland Justice” and a Telegram group with the same name, in which they asked Albanians what would they like them to publish.
One poll asked if they would like them to publish Albanian Prime Minister Edi Rama’s emails.
“In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs [Tactics, Techniques, and Procedures] and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran,” the report explains.
Albanian PM Rama on September 7 expelled Iran’s diplomats from the country after the massive cyber-attack on the government’s key servers in July.
After blaming Iran for July’s cyber-attack, fresh attacks occurred two days later, this time targeting the Traveller Information Management System, TIMS.
This caused queues ar border points, where the registration of citizens and vehicles entering and leaving the country had to be done manually.
Attacks continued on September 19, when emails of the former Chief of Police were released by a group that calls itself “Homeland Justice”.
Police said the prosecution had issued a ban on the publication or reposting of any information released by those behind the cyber-attacks, tasking cybercrime police, the broadcasting regulator and the Electronic and Postal Communications Authority to monitor the information and its use.
The order was condemned by the journalists and journalists’ rights organizations, however.