US, UK condemn Iranian state-linked hackers for cyber attacks against federal infrastructure in Albania
The U.S. and U.K. governments condemned the Iranian state for a series of cyber attacks on government infrastructure in Albania that destroyed data and disrupted essential government services. The attacks were executed by Iranian state-linked hackers, who affected essential government services, including paying utilities, booking medical appointments, and enrolling schoolchildren, causing a significant impact on online public services and other government websites.
The U.S. said it would take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace, Adrienne Watson, National Security Council (NSC) spokesperson, said in a statement on Wednesday.
“For weeks, the U.S. government has been on the ground working alongside private sector partners to support Albania’s efforts to mitigate, recover from, and investigate the July 15 cyberattack that destroyed government data and disrupted government services to the public,” according to Watson. “We have concluded that the Government of Iran conducted this reckless and irresponsible cyberattack and that it is responsible for subsequent hack and leak operations.”
Watson also said that Iran’s conduct disregards norms of responsible peacetime state behavior in cyberspace, which includes a benchmark on refraining from damaging critical infrastructure that provides services to the public. “Albania views impacted government networks as critical infrastructure. Malicious cyber activity by a State that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional, and global effects; pose an elevated risk of harm to the population; and may lead to escalation and conflict,” she adds.
“We will continue to support Albania’s remediation efforts over the longer-term, and we invite partners and Allies to join us in holding malicious cyber actors accountable and building a secure and resilient digital future,” according to Watson.
The U.K.’s National Cyber Security Centre (NCSC) assesses that “Iranian state-linked cyber actors are almost certainly responsible for the attacks against Albanian government infrastructure in July, which destroyed data and caused disruption to essential government services.”
The U.K. administration said that the websites of the Albanian Parliament and the Prime Minister’s office, as well as ‘e-Albania’, a portal that Albanians use to access a number of public services, were attacked and subject to a shutdown. The attackers also leaked Albanian government data, including details of emails from the Prime Minister and Ministry of Foreign Affairs.
Foreign Secretary James Cleverly said, “Iran’s reckless actions showed a blatant disregard for the Albanian people, severely restricting their ability to access essential public services. The UK is supporting our valuable partner and NATO ally. We join Albania and other allies in exposing Iran’s unacceptable actions.”
The actions came as Albanian Prime Minister Edi Rama said on Wednesday that on July 15, “our country became the target of a heavy cyberattack on the digital infrastructure of the Government of the Republic of Albania in a bid to destroy it, paralyse public services and hack data and electronic communications from the government systems.” Rama disclosed that the said attack failed its purpose. “Damages may be considered minimal compared to the goals of the aggressor. All systems came back fully operational, and there was no irreversible wiping of data,” he added.
“For weeks now, while work has been ongoing 24/7 to restore all damages, thorough investigations have been conducted to identify the aggressor,” Rama said. “In cooperation with specialized partner agencies against cyber terrorism, who brought their teams to Tirana, it was confirmed that, first, without a shadow of doubt, the July 15 attack on Albania was not an individual operation or a concerted action by independent criminal groups, but a State-sponsored aggression,” he added.
Rama said that the in-depth investigation “provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression – one of them being a notorious international cyber-terrorist group, which has been a perpetrator or co-perpetrator of earlier cyberattacks targeting Israel, Saudi Arabia, UAE, Jordan, Kuwait, and Cyprus.”
“This extreme response, one that is unwanted but totally forced on us, is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyse public services, erase digital systems and hack into State records, steal Government intranet electronic communication, and stir chaos and insecurity in the country,” Rama pointed out. “Failure of this massive attack on our country thanks to the resilience of the systems we have built and the assistance of specialised groups who fought on our side is not the end of the cyber threat, but the clear proof that thanks to its digital development, Albania is part of the large map of the battle for cyber security.”
Rama said that the good news, however, is that “we know what to do and how to do it to prevent anyone from harming us, just like we know that we will do the right things in the right way, also because we have the right partners on our side.”
The U.S. Office of the Director of National Intelligence (ODNI) warned in a report earlier this year that Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the U.S. and allied networks and data security. It also identified Iran’s opportunistic approach to cyber-attacks makes critical infrastructure owners in the U.S. susceptible to being targeted by Tehran, especially when Tehran believes it must demonstrate that it can push back against the U.S. in other domains.
Last month, Mandiant presented details of the ROADSWEEP ransomware line and a Telegram persona that targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July. Later, the firm says that a previously unknown backdoor CHIMNEYSWEEP and a new variant of the ZEROCLEAR wiper may also have been involved.
“CHIMNEYSWEEP malware distribution data and decoy content, the operation’s timing and politically themed content, and the possible involvement of the ZEROCLEAR wiper indicate an Iranian threat actor is likely responsible,” Mandiant said in an August post. “This activity is a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO member state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests.”
Mandiant also said that CHIMNEYSWEEP and ROADSWEEP share multiple code overlaps, including identical dynamic API resolution code. “The shared code includes an embedded RC4 key to decrypt Windows API function strings at run time, which are resolved using LoadLibrary and GetProcAddress calls once decrypted. Both capabilities also share the same Base64 custom alphabet, one used to encode the decryption key, the other for command and control,” it added.
Related
