The July 17 digital attack on Albania came ahead of the “Free Iran World Summit” scheduled for July 23 and 24 in the western Albania town of Manez. The summit is affiliated with an Iranian opposition group (often abbreviated as MEK, PMOI or MKO). But the meeting was postponed the day before it was scheduled to start because of an unspecified “terrorism” threat said.
The attackers deployed the Roadsweep family of ransomware, possibly also leveraging a previously unknown backdoor dubbed Chimneysweep, and a new variant of the Zeroclear wiper tool, Mandiant researchers said. Mandiant found that similar malware has been used in the past, the timing of the attack, other clues in the Roadsweep ransomware description, and the activity of actors claiming responsibility for the attack on Telegram all point to Iran.
“This is a positive step of escalation, we have to admit,” said John Hultquist, Mandiant’s vice president of intelligence. “Iranian espionage has been happening all over the world. The difference here is that this is not espionage. These are disruptive attacks that affect into the daily lives of Albanians living within the NATO alliance. And, it was basically a coercive attack to force the government to do it.”
Iran has conducted extensive hacking activities in the Middle East, particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply and critical infrastructure organizations. In November 2021, the U.S. and Australian governments warned that Iranian hackers were actively working to gain access to a range of networks related to transportation, healthcare and public health entities, among others. “These Iranian government-sponsored APT actors could exploit this access for follow-up actions such as data exfiltration or encryption, ransomware, and extortion,” the DHS Cybersecurity and Infrastructure Security Directorate wrote at the time.
However, Tehran has limited the scope of its attacks, mostly keeping data infiltration and reconnaissance on a global scale. However, the country has also been involved in influence operations, disinformation campaigns and efforts to interfere in foreign elections, including against the United States.
“We’re used to seeing Iran being aggressive in the Middle East, and that never stops, but outside the Middle East, they’ve been restrained,” Hultquist said. “I’m afraid they might be more willing to use their power outside the region.” capability. And they obviously have no qualms about targeting NATO countries.”
With Iran’s claim that it is now capable of producing nuclear warheads, and the country’s representatives meeting with U.S. officials in Vienna about a possible resumption of the 2015 nuclear deal between the two countries, any concerns about Iran’s possible intentions and risk tolerance in dealing with NATO Signals are all important.
Read the research report to learn more: