Iran and Albania: diplomacy and cyber operations

Albania explains its reasons for severing relations with Iran.

The Washington Post this weekend interviewed Albania's Prime Minister Edi Rama on his government's decision to sever diplomatic relations with Iran over Tehran's large-scale cyberattack against Albanian IT infrastructure. “Based on the investigation, the scale of the attack was such that the aim behind it was to completely destroy our infrastructure back to the full paper age, and at the same time, wipe out all our data,” Rama told the Post. “Our sense now is first, that they didn't succeed to destroy infrastructure. Services are back. Second, data. Yes, they took some but practically not of any particular relevance.” He characterized the cyberattacks as aggression, not as destructive, of course, as bombing, but of comparable intent, and comparably inadmissible under international norms.

Background: cyberattack against Albania's government services.

Albania suffered a major cyberattack on July 15th, Balkan Insight and other sources reported at the time. Government sources stressed the attacks' foreign origin and unprecedented scope. The Council of Ministers said in a statement, "Albania is under a massive cybernetic attack that has never happened before. This criminal cyberattack was synchronized from outside Albania." Cybernews quotes the Albanian National Agency for the Information Society on the government's decision to shut down some of its online services. They say, "in order to withstand these unprecedented and dangerous strikes, we have been forced to close down government systems until the enemy attacks are neutralized." Among the services disrupted were the websites of Parliament and the Prime Minister's office, as well as e-Albania, the government portal that all Albanians, as well as foreign residents and investors have to use to use a slew of public services. 

Attribution to Iran.

Reuters reported on September 7th that Albania had attributed the extensive, disruptive cyberattack it sustained in July to Iran. Albania's Prime Minister Edi Rama said, "The in-depth investigation provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression." Albania severed diplomatic relations with Iran and ordered Iran's diplomats to leave the country. Prime Minister Rama acknowledged the stringency of the response, but said it was fully justified, stating, this extreme response is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyze public services, erase digital systems and hack into state records, steal government internet electronic communication, and stir chaos and insecurity in the country. 

The motivation for Iran's cyberattack would appear to be Albania's longstanding support for an Iranian opposition group, Reuters noted. "Albania and Iran have had tense relations since 2014, when Albania accepted some 3,000 members of the exiled opposition group People's Mujahideen Organization of Iran, also known by its Farsi name Mujahideen-e-Khalq, who have settled in a camp near Durres, the country's main port."

Albania's foreign minister announced Tirana's response to Tehran in a tweet. "As of today, by a decision of the Albanian CoM has severed all diplomatic relations with the Islamic Republic of Iran. All diplomatic and other personnel of Iran's embassy are to leave the territory of the Republic of Albania within 24 hours. It is a decision imposed on Albania by the actions of Iran, which our investigation has shown was behind the massive and unprovoked July 15 cyberattack against Albania's infrastructure and government services. We are confident that our allies and partners will stand shoulder to shoulder with us, facing the present and possible future challenges. Albania is a NATO member, and its action received support from other members of the Atlantic alliance." 

The US condemned the Iranian cyberattack and expressed solidarity with Albania. The White House statement issued by the National Security Council is brief enough to be worth quoting in full. "The United States strongly condemns Iran's cyberattack against our NATO ally Albania. We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident. The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace. For weeks, the U.S. government has been on the ground, working alongside private sector partners to support Albania's efforts to mitigate, recover from and investigate the July 15 cyberattack that destroyed government data and disrupted government services to the public. We have concluded that the government of Iran conducted this reckless and irresponsible cyberattack, and that it is responsible for subsequent hack and leak operations. Iran's conduct disregards norms of responsible peacetime state behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provide services to the public. Albania views impacted government networks as critical infrastructure. Malicious cyberactivity by a state that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional and global effects, pose an elevated risk of harm to the population, and may lead to escalation and conflict. We will continue to support Albania's remediation efforts over the longer term, and we invite partners and allies to join us in holding malicious cyber actors accountable and building a secure and resilient digital future."

Cyber Security Works has a useful timeline of the conflict in cyberspace between Tehran and Tirana.

US Treasury hits Iran with sanctions for cyberattack on Albania.

The US Department of Treasury’s Office of Foreign Assets Control on September 9th announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for the July cyberattack on the government of Albania, a fellow NATO member state. As the Wall Street Journal reported, the sanctions block all property held by the ministry and its leader Esmail Khatib under US jurisdiction and bar US entities from conducting business with them. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson stated, “Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public. We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.” The MuddyWater threat group, responsible for a series of attacks worldwide dating back to 2017, was officially linked to MOIS by US Cyber Command. John Hultquist, Mandiant's Vice President of Intelligence Analysis, told BleepingComputer, "MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC." The Record by Recorded Future added that Iran’s foreign ministry spokesman Nasser Kanani publicly condemned the US’s decision, stating, “America’s immediate support for the false accusation of the Albanian government... shows that the designer of this scenario is not the latter, but the American government.” Al Arabiya reported that Kanani also accused the US of supporting a “terrorist sect,” referring to the opposition People’s Mujahedeen of Iran.

We heard from John Hultquist, VP, Mandiant Intelligence, on the record the Iranian Ministry of Intelligence and Security has compiled:

“MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC. They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable PII. Furthermore, they have a history of targeting the MeK, the group at the center of the Albanian incident. 

"These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain. Those operations were a template for the Albania attack. Mandiant has previously linked APT34 and APT39 to MOIS.”

CISA warns of Iranian cyber activity.

The US Cybersecurity and Infrastructure Security Agency (CISA) on September 21st issued a joint warning with the FBI outlining the conduct of the cyber campaign Iran waged earlier this month against Albania. The warning includes recommended protections and mitigations should the campaign spill over to targets outside Albania. 

We received some industry comment on CISA's alert. Aaron Sandeen, CEO and co-founder of Cyber Security Works commented on the risk of such operations affecting third parties: “Proactive defense is the only way out for organizations to stay safe from cyber attacks. As seen from the Iran-Albania cyber war, unpatched vulnerabilities and misconfigurations can be deadly. Government entities and industrial control systems have a target drawn on their backs, and it is important to secure these assets to avoid disruption and chaos. Organizations need to continuously evaluate their security posture and know what their exposures are lest they fall prey to such attacks.”

Some cyberattacks out of Iran have a conventional criminal motivation.

Dr. Eric Cole, Advisor for Theon Technology cautions that not all attacks from Iran will have been mounted by the government itself:

“It is important to remember that these are individuals who are doing commercialized hacking, who happen to be from Iran, this is not state sponsored or nation state attack. Typically, revenue generating attacks going after individuals and medium size companies tend to be by individuals but are not necessarily supported or endorsed by the government or done for the benefit of the government.

"There are tools available to create ransomware, so it is relatively easy to do, and many people will still click on links or attachments in legitimate looking emails. The uptick in these attacks are crimes of opportunities, it is easy, low risk, and financially beneficial to the individuals who are doing it. The reason we are seeing many of these people from Iran, Russia, China, Pakistan, etc. is that it is not illegal to hack outside the country and there are no extradition treaties with the US, so it is almost a zero-risk crime. Yes, the DOJ issued an indictment to send a message, but the probability of them ever being arrested or seeing the inside of a jail cell, is relatively low.

"In order to protect against this, we have to break the status quo. Email was never meant to be used as a file transfer mechanism and as long as will allow people to send attachments and links in email, this problem will continue to persist. The simple truth is an organization can run perfectly fine, while not allowing attachments and embedded links in email. There are many viable solutions that can be used outside of email to exchange files. Instead of pushing this problem on people and expecting them to do the right thing (which they never will do), let’s use technology to solve this problem.”