
In mid-July, a A cyberattack on the Albanian government took down state websites and public services for hours. As Russia’s war rages in Ukraine, the Kremlin appears to be the most likely suspect. But research published Thursday by threat intelligence firm Mandiant blamed Iran for the attack. While Tehran’s espionage and digital meddling have emerged around the world, Mandiant researchers say Iran’s destructive attack on NATO members is a notable escalation.
The July 17 digital attack on Albania comes ahead of the “Free Iran World Summit,” which is scheduled for July 23-24 in the western Albania town of Manez. The summit is affiliated with the Iranian opposition group Mujahideen – e-Khalq or People’s Mujahideen of Iran (often abbreviated as MEK, PMOI or MKO). The meeting was postponed the day before it was due to start due to an unspecified “terrorism” threat reported.
The attackers deployed ransomware from the Roadsweep family and may have also exploited a previously unknown backdoor called Chimneysweep, as well as a new Zeroclear Wiper, Mandiant researchers said. Mandiant said the past use of similar malware, the timing of the attack, other clues in the Roadsweep ransomware description, and the activity of actors claiming responsibility for the Telegram attack point to Iran.
“We have to recognize that this is a radical escalation step,” said John Hultquist, Mandiant’s vice president of intelligence. “Iranian espionage happens all over the world all the time. The difference here is that it’s not espionage. These are disruptive attacks. , affects the lives of everyday Albanians within the NATO alliance. It is essentially a means of coercive attack on the government.”
Iran has conducted an aggressive hacking campaign in the Middle East, particularly Israel, and its state-backed hackers have infiltrated and investigated manufacturing, supply and critical infrastructure organizations. In November 2021, the U.S. and Australian governments warned that Iranian hackers were actively working to gain access to a range of networks related to transportation, healthcare and public health entities. “These Iranian government-sponsored APT actors could exploit this access for subsequent operations, such as data breaches or encryption, ransomware, and extortion,” the DHS Cybersecurity and Infrastructure Security Directorate wrote at the time.
Tehran, however, has limited the scope of its attacks, primarily conducting data breaches and reconnaissance on the global stage. However, the country has participated in influence operations, disinformation campaigns, and efforts to interfere in foreign elections, including against the United States.
“We’re used to seeing Iranian aggressiveness in the Middle East, and this activity never stops, but outside the Middle East, they’re much more restrained,” Helquist said. “I am concerned that they may be more willing to use their capabilities outside the region. They clearly have no qualms about targeting NATO countries, which shows me that any deterrence we think exists between us may not exist at all.”
With Iran’s claim that it is now capable of producing nuclear warheads, and the country’s representatives meeting with U.S. officials in Vienna to discuss a possible resumption of the 2015 nuclear deal between the two countries, any signal about Iran’s possible intentions and risk tolerance will be significant against NATO.