Albania targeted by Iranian cyberattack shortly after cutting relations

Albania's prime minister said that no data leaks were caused by the latest cyberattack.

Figurines with computers are seen in front of Albanian and Iran flags in this illustration taken, September 10, 2022 (photo credit: REUTERS/DADO RUVIC/ILLUSTRATION)
Figurines with computers are seen in front of Albanian and Iran flags in this illustration taken, September 10, 2022
(photo credit: REUTERS/DADO RUVIC/ILLUSTRATION)

Albania was targeted by a second cyberattack originating from Iran, the country's prime minister, Edi Rama, stated on Saturday, just days after the country cut ties with Tehran due to a cyberattack that hit Albania in June.

"Another cyber attack by the same aggressors, already exposed and condemned by Albania's friendly and allied countries, was recorded last night on the Total Information Management System (TIMS)! Meanwhile, we continue to work around the clock with our allies to make our digital systems impenetrable," Rama tweeted on Saturday.

The prime minister updated on Sunday afternoon that the system was back in operation and that the attack had "not achieved its goal at all," with no information leaks caused.

"Beyond the cynicism and sneers typical of the big digital gossip club, fed by professional howlers and some international relations strategists, Albania has technically resisted the best, while politically it has made a very useful investment!"

The US National Security Council condemned the new cyberattack on Sunday morning, tweeting "This malicious activity against Albania follows the July 15 cyberattack conducted by the Government of Iran. The US government is supporting Albania’s efforts to mitigate and recover."

 Iranian flag is seen at the Embassy of the Islamic Republic of Iran, as Albania cuts ties with Iran and orders diplomats to leave over cyberattack, in Tirana, Albania, September 8, 2022 (credit: REUTERS/FLORION GOGA) Iranian flag is seen at the Embassy of the Islamic Republic of Iran, as Albania cuts ties with Iran and orders diplomats to leave over cyberattack, in Tirana, Albania, September 8, 2022 (credit: REUTERS/FLORION GOGA)

Albania severs ties with Iran

On Wednesday, Albania announced that it was severing ties with Iran and expelling Iranian diplomats due to a cyberattack it says was conducted by Iranians in July in an attempt to destroy Albania's digital infrastructure.

In the announcement last week, Rama stated that after thorough investigations, it was confirmed "with indisputable evidence" that the attack was conducted by Iran. 

"This malicious activity against Albania follows the July 15 cyberattack conducted by the Government of Iran. The US government is supporting Albania’s efforts to mitigate and recover."

US National Security Council

Rama added that the attack was carried out by four hacker groups that acted in concert, including a "notorious international cyber-terrorist group" which he said has carried out attacks against Israel, Saudi Arabia, UAE, Jordan, Kuwait and Cyprus. The prime minister did not name the groups.

In August, the Mandiant cybersecurity company reported that it had linked the cyberattack against Albania to Iranian hackers, as the group behind the attack used tools commonly used by Iranian hacker groups.

Microsoft publishes further details about the hackers behind the attacks

In a report published on Thursday, the Microsoft Detection and Response Team (DART) stated that it had helped the Albanian government handle the cyberattacks in July and found that, besides the main cyberattack in July, a separate Iran-backed actor had leaked sensitive information that had been exfiltrated months earlier.

Microsoft identified the four Iran-backed groups which took part in the attack as DEV-0842, DEV-0861, DEV-0166 and DEV-0133. Microsoft used DEV-#### as a temporary name for unknown or new clusters of threat activity.

The groups are likely linked to EUROPIUM, an entity linked to Iran's Intelligence Ministry, according to the report.

Microsoft found that DEV-0861 had been exfiltrating mail from different organizations in Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE since April 2020. The Microsoft report also noted that the hackers used a wiper similar to the ZEROCLEARE wiper, which has been used in attacks carried out by Iran-backed groups in the past. A report by Mandiant from August also found that a wiper similar to ZEROCLEARE had been used.

Microsoft added that the cyberattacks were likely used as retaliation for cyberattacks that Iran blames on Israel and the Iranian-opposition group Mujahedin-e Khalq (MEK). The company noted that the hacker group's logo features a sparrow and a Star of David which may signal that the attacks were carried out in response to cyberattacks carried out by a group called Predatory Sparrow against Iran since last year.

Iran calls Albania's accusation 'baseless claims'

The Iranian Foreign Ministry condemned the move by Albania at the time, saying it considered "this country's decision to sever political relations with our country based on such baseless claims to be an ill-considered and short-sighted action in international relations."

The Foreign Ministry claimed that Iran has "principled positions" in cyberspace in multilateral and international forums and is itself targeted by cyberattacks on critical infrastructure.

The ministry also pointed a finger at the US and Israel, stating that "the immediate release of the American government's statement and the reception of this decision by the Zionist media indicate the existence of a prepared plan to create a political atmosphere against the Islamic Republic of Iran."