After blaming Iran for July’s massive cyber-attack on government servers, fresh attacks occurred at the weekend, targeting the Traveller Information Management System, TIMS.
The special forces of the Albanian police enter the premises of the Iranian embassy in Tirana, after the interruption of diplomatic relations. Photo: LSA
The latest cyber-attack on Albanian institutions caused queues on border points during the weekend, where the registration of citizens and vehicles entering and leaving the country had to be done manually.
Prime Minister Edi Rama said the latest cyber-attack “was made by the same aggressors”, meaning Iran.
“Another cyber-attack by the same aggressors, already exposed and condemned even by Albania’s friendly and allied countries, was recorded last night on the TIMS system! Meanwhile, we continue to work around the clock with our allies to make our digital systems impenetrable,” Rama said on Saturday.
A recent report from Microsoft, which the Albanian government tasked with assisting in the recovery and investigation of the cyber-attack in July, says the attacks began in May 2021 and that government databases were attacked by four groups linked to the Iranian government.
The report details the infiltration of a vulnerable server and then the escalation of the attack until July 2022, when the attackers attempted to delete data on the server.
“Microsoft was able to prove with a high degree of certainty that a variety of Iranian groups were involved in this attack, with different actors responsible for different phases,” the report said.
According to Microsoft, data show that one of the groups involved in the initial intrusion and data theft is linked to EUROPIUM, a group connected to other Iranian Ministry of Intelligence.
The company says it has other data linking the attack with Tehran, including the fact that the codes were used earlier in similar attacks, as well as messages from the attackers, targeting Iranian opposition groups sheltering in Albania.
“The wiper code was previously used by a known Iranian group,” the report said.
The attack culminated on July 15, just weeks after the country had added new online services aimed at cutting bureaucracy. Key services, from prescriptions, that doctors issue to student registration in schools and business registrations and balances were closed.
The government and National Information Society Agency, AKSHI, downplayed the attack and insisted that the aggressors had not succeeded in their aims.
Nearly two months after the July cyber-attack, on September 19, the government cut off diplomatic relations and expelled Iranian diplomats, accusing Tehran of “state aggression”.
Iran has denied responsibility for the attack, describing the accusations as “baseless” and the decision to cut off diplomatic relations as “short-sighted”.
In its technical analysis of the attack, Microsoft says that it was carried out by four different groups. The first breach occurred in May 2021.
According to Microsoft, an unspecified number of emails were stolen between autumn 2021 and January 2022. The page where they were published, Homeland Justice, claims to have received the official email of Prime Minister Rama, that of the Minister of the Interior, the Minister of Defence, several embassies and a number of other actors, including AKSHI high officials.
According to the investigation team, the final attempt of the action was to encrypt the data and at the same time delete it, but “the attack failed”.
“The Iranian-funded hacking attempt had less than 10 per cent impact on the client’s environment,” Microsoft’s report said.
Relations between Albania and Iran have been tense since 2013, when US ally Albania agreed to shelter members of a group known as Mujahedin-e-Khalq, MEK, an opposition group to the regime in Tehran, supported by the US.