Written by AJ Vicens
The U.S. Treasury Department on Friday announced sanctions on Iran’s Ministry of Intelligence and Security and its intelligence chief in response to “cyber activities against the United States and its allies.”
Two days ago, Albanian Prime Minister Edi Rama formally accused the Iranian government of carrying out the attack and took the unprecedented step of severing diplomatic ties with Iran in light of the cyberattack, giving Iranian personnel 24 hours to leave the country.
After Rama’s statement, the U.S. and U.K. governments quickly issued statements condemning the cyberattack. The United States has pledged to take further action against Iran.
“Iran’s cyberattack on Albania disregards peacetime norms of responsible state conduct in cyberspace, which includes norms to avoid disrupting critical infrastructure that serves the public,” said Bryant, Treasury Undersecretary for Terrorism and Financial Intelligence Ann Nelson’s statement on Friday. “We will not tolerate Iran’s increasingly aggressive cyber activity against the United States or our allies and partners.”
Iranian Foreign Ministry spokesman Nasser Kanani on Thursday “strongly condemned the groundless accusations made by the US and UK governments,” according to a statement from the Iranian government. Khanani also “warned any political adventurism against Iran under these absurd pretexts and stressed that Iran is fully prepared to deal decisively, immediately and regretfully with any possible conspiracy,” the statement read.
In a detailed report released on Thursday, the Microsoft Security Threat Intelligence Center said that in July, multiple groups formed an overall campaign for a devastating hacking attack on Albania’s government systems.
The attack on Albania follows a series of attacks on Iran, which has linked the Iranian government to the Mujahideen (MEK), an opposition group that the Iranian government considers terrorists.
The group, which claimed responsibility for the July attack on Albania, claimed to have targeted Albania for hosting “Duras terrorists,” referring to MEK refugees living in a refugee camp in Durrës, Albania. MEK was scheduled to host a meeting on July 23-24, but it was cancelled due to threats of violence.
John Hultquist, vice president of intelligence at cybersecurity firm Mandiant, said in a statement Friday that Iran’s Ministry of Intelligence and Security “carries out cyber espionage and destructive ransomware attacks on behalf of the Iranian government in parallel with other Iranian security services, the IRGC. . espionage targets, such as governments and dissidents, and have been found to target upstream intelligence sources, such as telecommunications companies and companies with potentially valuable PII. Additionally, they have a history of targeting MeK, the group at the center of events in Albania.
“These actors are also involved in ransomware incidents that may ultimately be designed for destructive purposes rather than financial gain,” Hultquist added. “These actions are a template for attacks in Albania.”
Microsoft said the July 15 attack involved four different active clusters, each responsible for a different aspect of the operation. The investigation revealed that one of the groups tracked by Microsoft as DEV-0861 may have gained access to the Albanian network in May 2021. Around the same time, the operation involved the creation of two fake social media personas, as well as a third, older account that was one of the first to promote stolen Albanian material after the July attacks.
Gaby Portnoy, head of Israel’s National Cyber Agency, said in a series of tweets on Thursday “Israel has been witnessing Iranian attacks for years,” and “Iran’s ongoing attempts to indiscriminately damage civilian cyberspace have not paid a heavy enough price.”
Signs of an escalating cyber tit-for-tat between Iran and Israel were part of an Iranian attack on Albania, Microsoft said on Thursday. Microsoft said DEV-0861 has been actively stealing emails from various organizations in multiple countries, including Israeli targets between June 2021 and May 2022.
In addition, the logo of Homeland Justice, a front group formed to distribute stolen Albanian material through websites and Telegram channels, mocks the logo of the Predatory Sparrow, an Iranian-Israeli-linked hacking group that has conducted a series of complex attacks. Attacks on Iranian targets dating back to mid-2021.
Mandiant first pointed to the logo link on Aug. 4 in an analysis that first publicly linked Iran to the attack on Albania and discussed technical details related to the ransomware that was part of the attack.
Following Rama’s statement on Wednesday and international attention to the group, Homeland Justice temporarily switches its Telegram channel to private. The channel has been active before, most recently sharing stolen Albanian data on August 29th. The group’s website was still active Thursday.
Registration data shows the site is hosted by San Francisco-based tech security and services firm Cloudflare, which has come under fire in recent days for hosting Kiwi Farms, a forum where users organize harassment campaigns.
In an Aug. 31 blog post, Cloudflare CEO Matthew Prince defended the company’s decision not to drop the site as part of a philosophical belief in serving potentially objectionable material. Four days later, the company relented and abandoned Kiwi Farms, citing possible violence.
The company did not respond to a request Thursday about its affiliation with the Homeland Justice website, whether it conflicted with the company’s policy, or if any law enforcement or government agencies had asked Cloudflare to shut down the site.
The Microsoft analysis also shared details of wipe malware and ransomware used in the attack on Albania, both of which have forensic links to the Iranian state and Iran-affiliated groups, the researchers said. For example, after IBM’s X-Force security team launched an attack on a Middle Eastern energy company in mid-2019, the wiper used the same license keys and drivers as “ZeroClare”, an Iran-linked wiper malware.
“The analysis identified the use of vulnerabilities to implant web shells for persistence, reconnaissance operations, common credential harvesting techniques, defense evasion methods that disable security products, and exploits to deploy encrypted and wipe binaries on targets,” the Microsoft researchers wrote. Final Action Attempt.” “Iran-sponsored sabotage attempts have less than 10 percent total environmental impact on clients.”