How is Albania's severance of ties with Iran related to Israel?

Albanian Prime Minister Edi Rama said the group that attacked his country also attacked Israel, Saudi Arabia and the UAE.

 EVEN AFTER THE Cyberserve/Atraf disaster, Bennett is more afraid of overregulation than he is of lacking the power to save the private sector from its own occasional cyber laziness or cheapness. (photo credit: KACPER PEMPEL/ILLUSTRATION PHOTO/REUTERS)
EVEN AFTER THE Cyberserve/Atraf disaster, Bennett is more afraid of overregulation than he is of lacking the power to save the private sector from its own occasional cyber laziness or cheapness.
(photo credit: KACPER PEMPEL/ILLUSTRATION PHOTO/REUTERS)

Albania announced on Wednesday that it was severing ties with Iran and expelling Iranian diplomats due to a cyberattack it says was conducted by Iranians in July in an attempt to destroy Albania's digital infrastructure.

In the announcement, Albania's Prime Minister Edi Rama stated that after thorough investigations, it was confirmed "with indisputable evidence" that the attack was conducted by Iran. 

Rama added that the attack was carried out by four hacker groups that acted in concert, including a "notorious international cyber-terrorist group" which he said has carried out attacks against Israel, Saudi Arabia, UAE, Jordan, Kuwait and Cyprus. The prime minister did not name the groups.

In August, the Mandiant cybersecurity company reported that it had linked the cyberattack against Albania to Iranian hackers.

 A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (credit: REUTERS/KACPER PEMPEL/ILLUSTRATION/FILE PHOTO) A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (credit: REUTERS/KACPER PEMPEL/ILLUSTRATION/FILE PHOTO)

Who claimed responsibility for the attack?

While Rama did not name the specific groups responsible for the attack, a group calling itself "HomeLand Justice" published statements, screenshots and information on a Telegram channel and a website using a Russian domain linking itself to the cyberattack in July.

"We performed the #CyberAttacks to express our hatred and anger towards the Albanian government. Foreing (sic.) terrorists and moneylaunderes (sic.) do not belong to owr (sic.) sacred land. Our land is in need of pesticide to be cleansed," wrote the group in a Telegram post.

The group, which presented itself as Albanian, referenced the Mujahedin-e-Khalq (MEK) Iranian-opposition group throughout its messages, complaining that the Albanian government was supporting the MEK.

HomeLand Justice also published files it said contained data from the inboxes of Albanian government officials and offices.

How is HomeLand Justice linked to Iran?

According to Mandiant, a ransomware called ROADSWEEP displayed a ransom note reading "Why should our taxes be spent on the benefit of DURRES terrorists?" on computers it infected in the attack. The MEK's Free Iran World Summit was set to be held in July in the town of Manëz in Durrës County. 

The HomeLand Justice group's logo appeared identical to the wallpaper used by the ROADSWEEP ransomware. The graphic shows a circle containing lines that look like circuits and the outline of a Star of David, as well as an eagle with its talons pointed towards the star.

It is unclear why the Star of David was used in the logo as the group did not make any references to Jews or the State of Israel in its messaging.

Mandiant found that the attack also used a backdoor called CHIMNEYSWEEP which has likely been used in attacks against Farsi and Arabic speakers since 2012. CHIMNEYSWEEP and ROADSWEEP have a number of pieces of code in common.

CHIMNEYSWEEP operates through a self-extracting archive that contains it and a decoy Excel, Word or video file.

A tool called ZEROCLEARE which corrupts file systems may have also been used in the attack, according to Mandiant.

ZEROCLEARE has been used by Iranian hackers multiple times in recent years, according to multiple reports. Another wiper called Dustman, which has been identified as a very similar offshoot of ZEROCLEARE, was used in an attack on the Bahraini Bapco national oil company in 2019. Although they're very similar, it is unclear if Dustman was made and used by the same groups using ZEROCLEARE.

Mandiant estimated that one or multiple threat actors working for Iran were involved in the cyberattack against Albania due to the timing of the attack ahead of the planned MEK conference, the content of the Telegram group focusing on the MEK and the long history of CHIMNEYSWEEP being used to target Farsi and Arabic speakers.

The cyber security company stressed that the attack was, however, "significantly more complex" than prior CHIMNEYSWEEP operations, adding that this could indicate a cross-team collaboration or other scenarios.

"The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups’ conference was set to take place would be a notably brazen operation by Iran-nexus threat actors," said Mandiant in the report.

"As negotiations surrounding the Iran nuclear deal continue to stall, this activity indicates Iran may feel less restraint in conducting cyber network attack operations going forward. This activity is also a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO member state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests."

So what does this have to do with Israel and other Middle Eastern countries?

According to a report by IBM's X-Force IRIS, ZEROCLEARE was used in a destructive cyberattack in the Middle East. X-Force IRIS estimated that an Iranian group known as the ITG13 threat group or APT34/OilRig and at least one other group likely based out of Iran collaborated on that attack.

Attacks by APT34 have also used decoy Word documents to infect computer systems in past attacks, according to the Israeli CheckPoint cybersecurity company.

A Russian threat actor called ITG12 or Turla also has access to tools used by APT34, according to X-Force IRIS. Turla has used APT34's infrastructure to carry out its own attacks, seemingly without explicit cooperation or agreement by the Iranian group, according to the US National Security Agency (NSA) and GCHQ's National Cyber Security Centre.

While it is still unclear if APT34 was the group behind the attack against Albania, tools it is has been linked to were used in the attack which has been linked to Iran.

APT34 has attacked targets in a number of countries, including Lebanon, Jordan and Israel, among others, according to a multitude of reports by cybersecurity companies.

The countries targeted by ZEROCLEARE and APT34 in the past seems to largely line up with the list of targeted countries stated by the Armenian prime minister, although no publicly reported attacks in Cyprus have been linked to APT34 or ZEROCLEARE.

Iranian cyber attacks have repeatedly targeted civilian facilities in the past.

In 2020, Iran-backed hackers reportedly attempted to attack and sabotage Israeli water and sewage facilities. Attacks attributed to Iran-backed hackers have also targeted medical facilities in Israel.