Homeland Justice operations against Albania (2022)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date Some previous relevant activity took place between October 2021 and May 2022[1], the most significant activity took place on 15 July 2022[2] and 9 September 2022[3].
Suspected actor Generally, the so-called Homeland Justice operations against Albania are attributed to Iran.[2][3] The cyber operations were carried out by multiple hacker groups linked to the Islamic Republic. According to the Albanian Prime Minister Edi Rama, four groups were identified, one of which was a notorious international cyber-terrorist group with a history of targeting countries like Israel or Saudi Arabia.[4] Microsoft analysts supported this allegation and assessed that the above-mentioned groups (Microsoft uses designations DEV-0842, DEV-0861, DEV-0166 and DEV-0133) are related to EUROPIUM, a group linked to Iran’s Ministry of Intelligence and Security (MOIS).[5]

The use of the Chimneysweep malware and Zeroclear wiper indicates the involvement of Iran affiliated actors as well, according to Mandiant, a cybersecurity company[6]. A new ransomware called Roadsweep containing a ransomware note "Why should our taxes be spent on the benefit of DURRES terrorists?" was used[7]. The Free Iran World Summit, an event affiliated with Mujahideen E-Khalq (MEK, an Iranian opposition organization based in Albania[8]) was supposed to take place between 23 and 24 July 2022 near the city of Durres; however, it was cancelled due to an unspecified terror threat[9].

Another indication to Iran's involvement is the fact that a front called HomeLand Justice (HLJ) claimed credit for the disruptive activity and also posted videos (on its website and on Telegram) depicting the cyber operations being carried out. Apart from the videos, HLJ published documents which it claimed to be internal to the Albanian government along with alleged Albanian residence permits of MEK members as well.[10] Before that, in June 2022, HLJ created multiple social media profiles posting anti-MEK messages[11].

HLJ itself in its posts implied that it was run by Albanian citizens.[12] Some Iranians and Albanians have expressed their support for HLJ's campaign; however, there still has not been observed a direct relationship between HLJ and the supporters of its goals.[1]

Target The primary target was the Government of Albania[13]. The National Agency of Information Society (AKSHI), the institution facing the cyber operation, is responsible for coordinating all of the Government of Albania’s activities in the field of Information and Communication[14]. AKSHI had to temporarily close access to online public services and other government websites[15].

Nevertheless, given the abovementioned statements and posts published by HLJ and the cancelation of the planned summit, it is also posible to take into consideration the Iranian opposition and MEK as at least a secondary target.

Target systems Multiple websites and services of the Government of Albania were rendered unavailable[16] as well as the e-Albania portal[17]. The Albanian Prime Minister is confident that the aim of the July cyber operation was to paralyse public services, erase digital systems and hack into state records, steal Government intranet electronic communication and stir chaos and insecurity in the country[4]. It is important to take into consideration that 95 % of said Albania’s government services are provided online[18].

According to FBI investigation, Iranian state cyber actors acquired initial access to the Albanian Government's network approximately 14 months before launching the July cyber operation. Between May 2021 and June 2022, the cyber actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating email content.[11]

During the September cyber operation, the Total Information Management System (TIMS) of the state police, which stores data of people entering and leaving Albania, was targeted[3][19]. The hackers also released data (including photos, names, IDs etc.) supposedly related to people who are suspected of or investigated for crimes. It is speculated that this data was exfiltrated from the police database called MEMEX; howewer, the police denied this information[20]. Another systems and databases could be compromised as well, since emails of Gledis Nano, the country’s former chief of police, or the personal data of Prime Minister Edi Rama and Helidon Bendo, the director of the State Information Service, and his wife were leaked. Data allegedly containing the names and surnames of the State Information Service employees and officers, plus email addresses and in some cases mobile numbers, were published as well. This information has not been confirmed or denied by the state authorities[21]. According to the UK government, the leaks also contain details of emails from the Prime Minister and Ministry of Foreign Affairs[22].

Method As mentioned above, it is speculated that, although HLJ declared its responsibility for the disruptive activity, the cyber operations were carried out by four state-sponsored actors with ties to Iran.

The initial access was obtained via exploitation of an Internet-facing Microsoft SharePoint CVE-2019-0604 vulnerability[23]. When the July cyber operation took place, the hackers first deployed the ransomware, which was followed by the wiper malware[1]. The ransomware used belongs to a new ransomware family dubbed Roadsweep. A video depicting the execution of the ransomware was posted on the HLJ website and Telegram as well as alleged Albanian government documents and residence permits of ostensible members of MEK. A video depicting the mentioned wiper activity (the wiper is presumed to be called Zeroclear) was also posted[6]. A backdoor malware called Chimneysweep, which uses either Telegram or actor-owned infrastructure for command-and-control and is capable of taking screenshots, listing and collecting files, spawning a reverse shell, and supports keylogging functionality, and which shares multiple code overlaps with the Roadsweep ransomware, was used by the hackers when accessing the victim's systems[24].

During the September cyber operation, which is seen as a form of retaliation for Albania's decision to cut the diplomatic ties with Iran as an answer to the July cyber operation[25], numerous databases and systems, including the abovementioned TIMS, were accessed by the hackers and, supposedly, data was exfiltrated.

The cyber operations were accompanied by information operations by HLJ acusing the Albanian governemnt of corruption and spreading anti-MEK messages[26].

Purpose The goals of the aggressors could be numerous. Given the earlier mentioned anti-MEK messages and the timing of the July cyber operation (The Free Iran World Summit was supposed to take place in Albania between 23 and 24 July 2022) it is aparent that one of the aims of the cyber operations was to spread fear and intiminade MEK and Iranian opposition as such. It is important to point out that Albania shelters around 3 000 Iranians associated with MEK[8]. There are also speculations that the HLJ cyber operations were a payback for cyber operations against Iran associated with MEK, e.g. the hacking of 5 000 security cameras in Tehran[27] or the hacking of the Iran's state TV[28]. Another proof of Iran's involvement, as Microsoft analysts believe, could be the fact that some of the targeted Albanian institutions were equivalent to the Iranian institutions targeted in MEK-linked cyber operations[1].

The logo of HLJ is noteworthy[29], since it implies that the cyber operations in question were done as a payback for cyber operations attributed to a hacktivist group called Predatory Sparrow (in Persian Gonjeshke Darande), e. g. the hacking of Iranian train stations[30], the cyber operations against against Iranian steel makers[31] or the aforementioned hacking of the Iran's state TV (footage of MEK leaders was broadcasted, MEK denied its involvement; however, Predatory Sparrow claimed the responsibility)[32]. Microsoft analysts are also confident that the HLJ statements about targeting a corrupt government and politicians and their support for terrorists, while not intending to harm the Albanian people, mirrors statements done by Predatory Sparrow in connection to their cyber operations[33] and that this mirroring is a common tactic of Iranian foreign policy suggesting an intent to signal the attack as a form of retaliation[1].

Result Between May 2021 and June 2022, the hackers were periodically accessing and exfiltrating email content from the victim's systems[11]. Multiple websites and services of the the Government of Albania were rendered unavailable[16] as well as the e-Albania portal[17] as a result of the July cyber operation.

During the September cyber operation, the Total Information Management System (TIMS) of the state police, which stores data of people entering and leaving Albania, was targeted. The Albanian authorities had to suspend the system, which resulted in queues on the border[34]. The hackers also released data (including photos, names, IDs etc.) supposedly related to people who are suspected of or investigated for crimes. It is speculated that this data was exfiltrated from the police database called MEMEX; howewer, the police denied this information[20]. Another systems and databases could be compromised as well, since emails of Gledis Nano, the country’s former chief of police, or the personal data of Prime Minister Edi Rama and Helidon Bendo, the director of the State Information Service, and his wife were leaked. Data allegedly containing the names and surnames of the State Information Service employees and officers, plus email addresses and in some cases mobile numbers, were published as well. This information has not been confirmed or denied by the state authorities[21]. According to the UK government, the leaks also contain details of emails from the Prime Minister and Ministry of Foreign Affairs[22].

According to the Albanian Prime Minister, the damage done, although still serious, was minimal compared to the scale and presumed goals of the cyber operations[35].

Aftermath In response to the July cyber operation, Albania decided to cut the diplomatic ties with Iran and ordered Iranian diplomats and embassy staff to leave in 24 hours[36]. This is the first time a country has taken such decision as a response to a cyber operation[37]. NATO has made statements supporting Albania, condemning the cyber operations and attributing the responsibility for them to the Government of Iran[38]. Albania has also received assistance from Microsoft[1] and from its strategic partners[4]. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on MOIS and on the Minister of Intelligence, Esmail Khatib, freezing their assets, for their presumed involvement in the cyber operations.[39] In late 2022, Albanian prosecutors launched investigations of several IT staff members for possible misconduct[40]. Albania was also considering invoking Article 5 of the North Atlantic Treaty, to trigger collective defence, but eventually decided against it.[41] In September 2022, Albania submitted a letter to the United Nations, in which it described the incident as an "aggression ... orchestrated and sponsored by the Islamic Republic of Iran" and "a blatant breach of the norms of responsible peacetime State behaviour in cyberspace".[42] Iran has denied its involvement and condemned Albania's decision to cut its diplomatic ties[43].
Analysed in Scenario 02: Cyber espionage against government departments

Scenario 17: Collective responses to cyber operations

Collected by: Marek Kalinowski

  1. 1.0 1.1 1.2 1.3 1.4 1.5 Microsoft Security Threat Intelligence, Microsoft investigates Iranian attacks against the Albanian government, Microsoft (8 September 2022)
  2. 2.0 2.1 Albanian Government Council of Ministers, Videomessage of Prime Minister Edi Rama, Albanian Government Council of Ministers (7 September 2022); Florion Goga, Fatos Bytyci, Doina Chiacu, James Pearson, Albania cuts Iran ties over cyberattack, U.S. vows further action, Reuters (7 September 2022); Microsoft Security Threat Intelligence, Microsoft investigates Iranian attacks against the Albanian government, Microsoft (8 September 2022)
  3. 3.0 3.1 3.2 Sean Lyngaas, Albania blames Iran for second cyberattack since July, CNN (12 September 2022); Llazar Semini, Albania reports 2nd cyberattack by Iran, on border systems, AP (10 September 2022); Elona Elezi, Niloofar Gholami, Albania blames Iran for cyberattacks, Deutsche Welle (16 September 2022)
  4. 4.0 4.1 4.2 Albanian Government Council of Ministers, Videomessage of Prime Minister Edi Rama, Albanian Government Council of Ministers (7 September 2022)
  5. Microsoft Security Threat Intelligence, Microsoft investigates Iranian attacks against the Albanian government, Microsoft (8 September 2022)
  6. 6.0 6.1 Luke Jenkins, Emiel Haeghebaert, Alice Revelli, Ben Read, Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations, Mandiant (4 August 2022)
  7. Luke Jenkins, Emiel Haeghebaert, Alice Revelli, Ben Read, Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations, Mandiant (4 August 2022); Fjori Sinoruka, US Warns of ‘Threat’ to Iranian Opposition Summit in Albania, Balkan Insight (22 July 2022)
  8. 8.0 8.1 Fjori Sinoruka, US Warns of ‘Threat’ to Iranian Opposition Summit in Albania, Balkan Insight (22 July 2022); Ashish Kumar Sen, U.S. pushes Iranian dissidents to accept Albanian asylum offer, The Washington Times (18 March 2013)
  9. Lily Hay Newman, An Attack on Albanian Government Suggests New Iranian Aggression, Wired (4 August 2022); David R. Sands, Iranian exile dissident group calls off summit after terror threat, The Washington Times (23 July 2022)
  10. Luke Jenkins, Emiel Haeghebaert, Alice Revelli, Ben Read, Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations, Mandiant (4 August 2022); Cybersecurity and Infrastructure Security Agency, Iranian State Actors Conduct Cyber Operations Against the Government of Albania, Cybersecurity and Infrastructure Security Agency (23 September 2022)
  11. 11.0 11.1 11.2 Cybersecurity and Infrastructure Security Agency, Iranian State Actors Conduct Cyber Operations Against the Government of Albania, Cybersecurity and Infrastructure Security Agency (23 September 2022)
  12. Luke Jenkins, Emiel Haeghebaert, Alice Revelli, Ben Read, Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations, Mandiant (4 August 2022); AJ Vicens, Albania says Iranian hackers hit the country with another cyberattack, CyberScoop (12 September 2022)
  13. Jonathan Greig, Albania shuts down government websites, services due to wide ranging cyberattack, The Record (18 July 2022); Albanian Government Council of Ministers, Videomessage of Prime Minister Edi Rama, Albanian Government Council of Ministers (7 September 2022)
  14. The Western Balkans Info Hub, National Agency of Information Society, The Western Balkans Info Hub (17 April 2012)
  15. Jonathan Greig, Albania shuts down government websites, services due to wide ranging cyberattack, The Record (18 July 2022); Eduart Halili, Cyber Attacks Forces AKSHI Close Government Online Systems, Albanian Daily News (17 July 2022)
  16. 16.0 16.1 Eduart Halili, Cyber Attacks Forces AKSHI Close Government Online Systems, Albanian Daily News (17 July 2022)
  17. 17.0 17.1 Albanian Government Council of Ministers, Online public services via e-Albania portal fully restored, Albanian Government Council of Ministers (12 August 2022); SOT.COM.AL, "Homeland Justice" warning: We have hacked secret documents, soon the government of Albania will be exposed, SotNews (12 August 2022); Vitjon Nina, ‘Homeland Justice’, is it a whole network of Iranian hackers with real threats to the Government? – The cyber security giant “Mandiant” explains it to Albanian Post., (August 2022)
  18. Maggie Miller, Albania weighed invoking NATO’s Article 5 over Iranian cyberattack, Politico (5 October 2022); Tim Starks, Paige Winfield Cunningham, How Albania reckoned with alleged Iranian hackers, The Washington Post (26 September 2022)
  19. Al Jazeera, Albania blames Iran for second cyberattack since July, Al Jazeera (10 September 2022)
  20. 20.0 20.1 Fjori Sinoruka, Iranian Hackers Leak Database of Albanian Criminal Suspects, Balkan Insight (3 October 2022)
  21. 21.0 21.1 Fjori Sinoruka, Albania Authorities Silent Over Alleged Security Service Data Hack, Balkan Insight (8 November 2022)
  22. 22.0 22.1 The Government of the United Kingdom, UK condemns Iran for reckless cyber attack against Albania, The Government of the United Kingdom (7 September 2022)
  23. Cybersecurity and Infrastructure Security Agency, Iranian State Actors Conduct Cyber Operations Against the Government of Albania, Cybersecurity and Infrastructure Security Agency (23 September 2022); Huseyin Can YUCEEL & Picus Labs, CISA Alert AA22-264A - Iranian HomeLand Justice APT Group's TTPs, (3 October 2022)
  24. Luke Jenkins, Emiel Haeghebaert, Alice Revelli, Ben Read, Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations, Mandiant (4 August 2022); Lily Hay Newman, An Attack on Albanian Government Suggests New Iranian Aggression, Wired (4 August 2022)
  25. Sumeet Wadhwani, Iranian Hackers Target Albania’s Border Control System in a Tit-for-Tat Operation, Spiceworks (13 September 2022); Florion Goga, Fatos Bytyci, Doina Chiacu, James Pearson, Albania cuts Iran ties over cyberattack, U.S. vows further action, Reuters (7 September 2022); Albanian Government Council of Ministers, Videomessage of Prime Minister Edi Rama, Albanian Government Council of Ministers (7 September 2022)
  26. Microsoft Security Threat Intelligence, Microsoft investigates Iranian attacks against the Albanian government, Microsoft (8 September 2022); Luke Jenkins, Emiel Haeghebaert, Alice Revelli, Ben Read, Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations, Mandiant (4 August 2022)
  27. Tzvi Joffre, Mossad blamed for cyberattack on Tehran municipality, The Jerusalem Post (7 June 2022); Iran International, Tehran’s City Council Accuses Mossad, MEK For Last Week’s Cyberattack, Iran International (7 June 2022); The New Arab, Iran: Exiled MEK claims hacked 5,000 Tehran security cameras, dozens of municipality websites, The New Arab (2 June 2022)
  28. Haaretz, Iran State TV Broadcasts Dissidents' Images After Apparent Hack, Haaretz (27 January 2022); Leila Gharagozlou, Iran's state TV hacked for 10 seconds before Islamic Revolution anniversary, The National (28 January 2022); Iran International, MEK Opposition Group Denies It Hacked Iran State TV And Radio, Iran International (27 January 2022)
  29. Microsoft Security Threat Intelligence, Microsoft investigates Iranian attacks against the Albanian government, Microsoft (8 September 2022); AJ Vicens, Hackers deploy new ransomware tool in attacks on Albanian government websites, CyberScoop (4 August 2022)
  30. The Guardian, ‘Cyber-attack’ hits Iran’s transport ministry and railways, The Guardian (11 July 2021)
  31. Predatory Sparrow operation against Iranian steel maker (2022)
  32. Iran International, MEK Opposition Group Denies It Hacked Iran State TV And Radio, Iran International (27 January 2022); Check Point Research, EvilPlayout: Attack Against Iran’s State Broadcaster, Check Point Research (18 February 2022)
  33. Microsoft Security Threat Intelligence, Microsoft investigates Iranian attacks against the Albanian government, Microsoft (8 September 2022); Predatory Sparrow operation against Iranian steel maker (2022)
  34. Llazar Semini, Albania reports 2nd cyberattack by Iran, on border systems, AP (10 September 2022)
  35. Maggie Miller, Albania weighed invoking NATO’s Article 5 over Iranian cyberattack, Politico (5 October 2022); How Albania reckoned with alleged Iranian hackers, The Washington Post (26 September 2022); Albanian Government Council of Ministers, Videomessage of Prime Minister Edi Rama, Albanian Government Council of Ministers (7 September 2022)
  36. Al Jazeera, Albania blames Iran for second cyberattack since July, Al Jazeera (10 September 2022); Florion Goga, Fatos Bytyci, Doina Chiacu, James Pearson, Albania cuts Iran ties over cyberattack, U.S. vows further action, Reuters (7 September 2022); Albanian Government Council of Ministers, Videomessage of Prime Minister Edi Rama, Albanian Government Council of Ministers (7 September 2022)
  37. Maggie Miller, Albania weighed invoking NATO’s Article 5 over Iranian cyberattack, Politico (5 October 2022); Tim Starks, Aaron Schaffer, Albania is the first known country to sever diplomatic ties over a cyberattack, The Washington Post (8 September 2022)
  38. NATO, Statement by the North Atlantic Council concerning the malicious cyber activities against Albania, NATO (8 September 2022); NATO, NATO reaffirms support for Albania following cyber attacks, NATO (22 September 2022)
  39. The Office of Foreign Assets Control of the U.S. Department of the Treasury, Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities, The Office of Foreign Assets Control of the U.S. Department of the Treasury (9 September 2022)
  40. Fjori Sinoruka, Albania Prosecutors Seek to Grill Five Officials Over Cyber-attacks, Balkan Insight (30 November 2022); Dario Velaj, The Prosecutor's Office of Tirana starts investigations into the two cyber attacks from Iran, proceedings are registered for 4 criminal offences, the names of the 4 hackers who attacked Albania are revealed, SOT.COM.AL (13 September 2022); AP, Albanian IT staff charged with negligence over cyberattack, AP (30 November 2022)
  41. Maggie Miller, Albania weighed invoking NATO’s Article 5 over Iranian cyberattack, Politico (5 October 2022)
  42. Letter dated 7 September 2022 from the Permanent Representative of Albania to the United Nations addressed to the Secretary-General and the President of the Security Council, UN Doc A/76/943-S/2022/677 (9 September 2022).
  43. Parisa Hafezi, Lilian Wagdy, Chris Reese, Iran strongly condemns Albania’s decision to cut its diplomatic ties, Reuters (7 September 2022)
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Homeland_Justice_operations_against_Albania_(2022)?oldid=4041"