CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Two Six Four Alpha.

Original release date: September Twenty First, twenty twenty two.

In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating email content.

Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.

In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. Between July and August 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure, posted videos of the cyber attack on their website, and social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release.

Most recently, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.

Visit the alert documentation linked in the show notes for additional information on recent cyber operations against the Government of Albania, including the relevant TTPs, IOCs, and malware signatures used by the Iranian cyber actors, and recommended mitigation actions for anyone targeted by these threat actors.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.