US agencies warn of malicious cyber operations executed by Iranian state hackers against Albanian government

Iranian state hackers have executed malicious cyber operations against the Government of Albania in July and September, U.S. cybersecurity agencies detailed a joint Cybersecurity Advisory (CSA), released on Wednesday. The notice provides information on recent cyber operations, including ransomware and disk wiper, rendering websites and services unavailable. The advisory also details that Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, periodically accessing and exfiltrating email content.

“In July 2022, Iranian state cyber actors—identifying as ‘HomeLand Justice’—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable,” the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), said in their latest alert on Wednesday. 

An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The agencies added that the hackers maintained continuous network access for approximately a year, periodically accessing and exfiltrating email content.

Iranian cyber threat actors have been continuously improving their offensive cyber capabilities. Iran has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity and to harm regional and international adversaries. They continue to engage in conventional offensive cyber activities ranging from website defacement, spearphishing, distributed denial-of-service attacks, and theft of personally identifiable information, to more advanced activities—including destructive malware, social media-driven influence operations, and, potentially, cyberattacks intended to cause physical consequences.

The advisory further disclosed that between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. “In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware,” it added.

“In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure,” the advisory said. “On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information—either in a .zip file or a video of a screen recording with the documents shown,” it added.

The cybersecurity advisory said that this month, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.

The U.S. and U.K. governments had on Sept. 7 condemned the Iranian state for a series of cyber attacks on government infrastructure in Albania that destroyed data and disrupted essential government services. The attacks were executed by Iranian state-linked hackers, who affected essential government services, including paying utilities, booking medical appointments, and enrolling schoolchildren, causing a significant impact on online public services and other government websites.

Around the same time, cybersecurity firm Mandiant disclosed details of an APT42 Iranian state-sponsored cyber espionage group that relies primarily on highly targeted social engineering efforts to achieve its objectives against individuals and organizations of interest to the Iranian government. The firm said that APT42 would continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements.

Providing technical details, the CSA said that the initial access timeframe was about 14 months before encryption and the wiper attacks. “Initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint, exploiting CVE-2019-0604,” it added.

The agencies assess that persistence and lateral movement lasted approximately several days to two months after the initial compromise. “After obtaining access to the victim environment, the actors used several [dot]aspx webshells, pickers[dot]aspx, error4[dot]aspx, ClientBin[dot]aspx, to maintain persistence. During this timeframe, the actors also used RDP (primarily), SMB, and FTP for lateral movement throughout the victim environment,” it added.

Exchange Server compromise is believed to have lasted for about one to six months after the initial compromise. “The actors used a compromised Microsoft Exchange account to run searches (via CmdLets New-MailboxSearch and Get-Recipient) on various mailboxes, including for administrator accounts. In this timeframe, the actors used the compromised account to create a new Exchange account and add it to the Organization Management role group,” the advisory added.

The CISA-FBI advisory assesses that likely email exfiltration lasted for about eight months after the initial compromise. “The actors made thousands of HTTP POST requests to Exchange servers of the victim organization. The FBI observed the client transferring roughly 70-160 MB of data, and the server transferring roughly 3-20 GB of data,” it said.

The agencies measured that VPN activity lasted about 12-14 months after the initial compromise. “Approximately twelve months after initial access and two months before launching the destructive cyber attack, the actors made connections to IP addresses belonging to the victim organization’s Virtual Private Network (VPN) appliance. The actors’ activity primarily involved two compromised accounts. The actors executed the ‘Advanced Port Scanner’ (advanced_port_scanner.exe). The FBI also found evidence of Mimikatz usage and LSASS dumping,” the advisory added.

The agencies determined that the wiper attack lasted for about 14 months after the initial compromise. “In the same timeframe as the encryption attack, the actors began actions that resulted in raw disk drives being wiped with the Disk Wiper tool (cl[dot]exe). Approximately over the next eight hours, numerous RDP connections were logged from an identified victim server to other hosts on the victim’s network. Command line execution of cl.exe was observed in cached bitmap files from these RDP sessions on the victim server,” it added.

The CISA-FBI advisory called upon organizations to ensure anti-virus and anti-malware software is enabled and signature definitions are updated regularly and promptly. They must also adopt threat reputation services at the network device, operating system, application, and email service levels and prioritize patching of known exploited vulnerabilities. It also urged organizations to monitor for unusually large amounts of data, in terms of several GBs, being transferred from a Microsoft Exchange server. It also suggested checking the host-based indications, including webshells, for positive hits within the environment.

Additionally, the advisory recommends organizations maintain and test an incident response plan, ensure that their organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities.  It also called attention to ensuring configured and secure internet-facing network devices and adopting zero-trust principles and architecture.

Further, organizations must execute micro-segmenting networks and functions to limit or block lateral movements, enforce phishing-resistant multi-factor authentication (MFA) for all users and VPN connections, and restrict access to trusted devices and users on the networks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.