Mandiant details ROADSWEEP ransomware, Telegram persona targeting Albanian federal agencies

Mandiant presented details of the ‘ROADSWEEP’ ransomware line and a Telegram persona that targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July. The activity is a geographic expansion of Iranian disruptive cyber operations conducted against a NATO member state, likely indicating an increased risk tolerance when employing disruptive tools against countries perceived to be working against Iranian interests.

A previously unknown backdoor CHIMNEYSWEEP and a new variant of the ZEROCLEAR wiper may also have been involved, Mandiant researchers wrote in a blog post on Thursday. The CHIMNEYSWEEP malware distribution data and decoy content, the operation’s timing and politically themed content, and the possible involvement of the ZEROCLEAR wiper indicate an Iranian hacker is likely responsible, it added.

“Mandiant does not have evidence linking this activity to a named threat actor but assesses with moderate confidence that one or multiple threat actors who have operated in support of Iranian goals are involved,” according to the researchers. “This is based on the timing of the disruptive activity, the MEK-focused content of the HomeLand Justice persona’s Telegram channel, and the long history of CHIMNEYSWEEP malware targeting Farsi and Arabic speakers,” they added.

The Mujahedeen-e-Khalq/People’s Mojahedin Organization of Iran (MEK, also known as MKO or PMOI) is an Iranian opposition organization that was formerly designated as a terrorist group by the U.S. Department of State.

The city of Manëz, Durrës County, mentioned in the ROADSWEEP ransom note and on the HomeLand Justice Telegram channel, was set to host ‘The World Summit of Free Iran’ conference on July 23-24, 2022, Mandiant said. However, Albanian media announced a day before the conference was scheduled to begin that it had been postponed due to a ‘terrorist attack threat.’ The World Summit of Free Iran conference convenes entities opposed to the government of Iran, specifically members of the MEK.

“Iranian and pro-Iran information operations have frequently targeted the MEK with antagonistic messaging, including that leveraging fabricated material such as forged documents,” the researchers said. “For example, the pro-Iran campaign Roaming Mayfly has promoted falsified narratives alleging various Western countries’ support for the MEK. However, we do note that the ransomware attack is significantly more complex than prior CHIMNEYSWEEP operations, which raises the possibility of a cross-team collaboration or other scenarios that we lack insight into at this time. We are continuing to investigate this cluster and will provide updates as we are able,” they added.

In mid-July, Mandiant identified the ROADSWEEP ransomware, which drops a politically themed ransom note suggesting it targeted the Albanian government. In addition, a front named ‘HomeLand Justice’ claimed credit for the disruptive activity that affected Albanian government websites and citizen services on Jul. 18, 2022. The HomeLand Justice front posted a video of the ransomware being executed on its website and Telegram channel alongside alleged Albanian government documents and residence permits from apparent MEK members.

Mandiant said that on Jul. 18, the Albanian government published a statement announcing it had to ‘temporarily close access to online public services and other government websites’ due to disruptive cyber activity. Four days later, a ROADSWEEP ransomware sample was submitted to a public malware repository from Albania. Upon successful execution, it added that the ROADSWEEP sample drops a ransom note. 

On Jul. 21, the HomeLand Justice front leveraged the website ‘homelandjustice.ru’ to start publishing ostensible news stories on the ransomware operation against the Albanian government along with a link to a Telegram channel named ‘HomeLand Justice,’ Mandiant said. “The website, which implies that it is run by Albanian citizens, claimed credit for the ransomware activity with a video of ‘wiper activity,’ and posted documents ostensibly internal to the Albanian government along with what it claimed to be Albanian residence permits of MEK members,” it added.

The website ‘homelandjustice[.]ru’ and the Telegram channel both use a banner that appears identical to the wallpaper used by ROADSWEEP and contains the same politically themed language as the ransom note. The platforms also posted a video of an alleged wiper executed on a host using this banner.

After posting multiple links to news stories on the disruptive activity against the Albanian government on Jul. 26, HomeLand Justice directly claimed credit for the operation on its Telegram channel in a message alleging corruption in the Albanian government and repeating the message from the ransom note, Mandiant said. Notably, the posts used the hashtags #MKO, #ISIS, #Manez, and #HomeLandJustice. Manëz is a town in Durrës County and the location for the World Summit of Free Iran conference.

“Both the homelandjustice.ru website and the Telegram channel posted documents ostensibly belonging to Albanian government organizations along with what appear to be residence permits, marriage certificates, passports, and other personal documents belonging to alleged members of the MEK,” the researchers said.

Mandiant further identified the CHIMNEYSWEEP backdoor that uses either Telegram or hacker-owned infrastructure for command-and-control (C&C), and is capable of taking screenshots, listing and collecting files, spawning a reverse shell, and supports keylogging functionality. CHIMNEYSWEEP shares code with ROADSWEEP, based on observed decoy content has likely been used to target Farsi and Arabic speakers as far back as 2012.

“CHIMNEYSWEEP and ROADSWEEP share multiple code overlaps, including identical dynamic API resolution code,” the researchers said. “The shared code includes an embedded RC4 key to decrypt Windows API function strings at run time, which are resolved using LoadLibrary and GetProcAddress calls once decrypted. Both capabilities also share the same Base64 custom alphabet, one used to encode the decryption key, the other for command and control,” they added. 

CHIMNEYSWEEP is dropped by a self-extracting archive signed with a valid digital certificate alongside either an Excel, Word, or video file, which is likely used as benign decoy documents, Mandiant said. However, these documents do not appear automatically opened when CHIMNEYSWEEP is executed. 

Threats from Iranian hackers are not new. An ODNI (Office of the Director of National Intelligence) report in March warned that ​​Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the U.S. and allied networks and data security. Prior to that U.S. and U.K. security agencies warned that a group of Iranian government-sponsored advanced persistent threat (APT) hackers, known as ‘MuddyWater malware,’ have targeted a range of government and private-sector organizations across various sectors, including telecommunications, defense, local government, and oil and natural gas, across Asia, Africa, Europe, and North America.

Last month, a Mandiant Red Team emulated the FIN11 techniques at a European engineering organization to understand the potential reach ransomware operators could have in an OT (operational technology) network. The FIN11 threat group conducted long-running ransomware distribution campaigns across industries, using its techniques to move from a corporate endpoint with regular employee credentials, obtain domain administrator rights, steal critical data, and gain access to OT servers.

In its latest OT/IoT security report this week, industrial cybersecurity vendor Nozomi Networks disclosed that wiper malware, IoT botnet activity, and the Russia/Ukraine war impacted the threat landscape in the first six months of this year. Attacks can be unpredictable, from cyber threat activity incited by the Russia/Ukraine war to hackers obfuscating their malicious activity. As a result, cybercriminals have changed their tactics, focused on new targets, and increased their attack frequency as companies fight the endless battle of making industrial processes more efficient without compromising security.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.