Iranian Hackers Target Albania’s Border Control System in a Tit-for-Tat Operation
The recent attack on Albania has forced its government to suspend the Total Information Management System (TIMS), a border control system it uses to track the people who enter or leave the country.
Days after the U.S. Department of Treasury sanctioned Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for carrying out a cyberattack against Albania in July 2022, the west Asian country struck the European country for the second time.
The Albanian prime minister Edi Rama confirmed this weekend that the country was attacked for the second time earlier in September. The cyberattack comes right on the heels of Albania, a NATO member state and U.S. ally, severing diplomatic ties with Iran for the July 15 cyberattack that crippled 1225 online services for businesses and the government.
The cyberattack forced the Albanian government to suspend online services, most of which became operational by mid-August. “Some of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging,” Microsoft noted.
“This suggests the Iranian government chose those targets to signal the cyberattacks as a form of direct and proportional retaliation, a common tactic of the regime.”
Tirana worked with Microsoft to assess the July attack. The company said with “high confidence” that multiple Iranian state-sponsored groups conducted it. These included DEV-0861 (gained initial access and exfiltrated data), DEV-0842 (deployed the ransomware and wiper malware), DEV-0166 (exfiltrated data), and DEV-0133 (probed victim infrastructure).
Prime Minister Rama added that the September attack, conducted late last week, was perpetrated by the “same aggressor” behind the July attack.
Një tjetër sulm kibernetik nga të njëjtët agresorë, tanimë të ekspozuar dhe dënuar prej vendeve aleate e mike të Shqipërisë, është shënuar mbrëmë mbi sistemin TIMS! Ndërkohë vazhdojmë punojmë përditë pa orar me aleatët për t'i bërë të papenetrueshme sistemet tona digjitale.
— Edi Rama (@ediramaal) September 10, 2022
Rama’s tweet translates to the following: “Another cyber attack by the same aggressors, already exposed and condemned by Albania’s friendly and allied countries, was recorded last night on the TIMS system! Meanwhile, we continue to work around the clock with our allies to make our digital systems impenetrable.”
Julia O’Toole, CEO of MyCena Security Solutions, told Spiceworks, “These attacks on Albania have brought the country to a standstill, so it is not surprising the government chose to publicly announce their intention to cut ties with the designated culprit, Iran. However, it seems in retaliation, the country is now facing further attacks which are causing more disruptions.”
The recent attack on Albania has forced its government to suspend the Total Information Management System (TIMS), a border control system it uses to track the people who enter or leave Albania.
Tehran’s hostility towards Tirana stems from the presence of several members of Mujahedeen-e-Khalq (MeK), a dissident group whose goal is to overthrow the government of the Islamic Republic of Iran.
While the July attack was timed weeks after Iran suffered a barrage of cyberattacks from Predatory Sparrow and MEK-affiliated group ‘Uprising until Overthrow,’ and just before the Free Iran World Summit was scheduled (later canceled), it is unclear what the actual goal of Iran’s latest attack on Albania was.
See More: Lazarus Hackers Exploiting Log4j Vulnerabilities to Target U.S. Energy Companies
But if previous developments are any indication, it possibly has to do with fetching the data on the movement of MeK members. “This is yet another reminder that the consequences of cyberattacks today are far from just digital,” O’Toole added. “Instead, physical functions come to a halt which have a major impact on society.”
The ransom image that the Iranian hackers dropped denotes an eagle preying on the symbol of the Predatory Sparrow logo placed within the Star of David (Iran believes Israel was involved in attacks conducted by Predatory Sparrow).
Ransom Image Dropped by Iranian State-Sponsored Groups | Source: Microsoft
The cyberattacks have received condemnation from the White House National Security Council in the U.S., the U.K., and NATO.
I strongly condemn the recent cyber attack on #Albania, which Tirana & other Allies have attributed to Iran. #NATO & Allied experts are providing support. NATO is committed to continue raising our guard: to deter, defend against & counter cyber threats. https://t.co/JoH2cEqNzp
— Jens Stoltenberg (@jensstoltenberg) September 8, 2022
“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
How did the Iranian threat actors compromise Albanian systems?
According to Microsoft, the attack involved multiple threat actors working in tandem to compromise and gain a foothold in the target systems, exfiltrate, encrypt and destroy data, and perform other information operations.
The state-sponsored threat actors, viz., DEV-0861, DEV-0842, DEV-0166, and DEV-0133, are unknown, emerging, or developing clusters engaged in cyber threat activity. The company’s forensic analysis revealed all four were operating from within Iran.
Source: Microsoft
DEV-0861, which Redmond said is associated with MOIS-linked group EUROPIUM, gained initial access to Albanian government systems as early as May 2021 through CVE-2019-0604, a vulnerability on an unpatched SharePoint Server.
The group then executed arbitrary code to implant web shells on unpatched SharePoint instances that, in turn, enabled DEV-0861 to upload files, download files, delete files, rename, and execute commands with an option to run as a specific user.
They then leveraged Mimikatz for credential harvesting and moved laterally within the victim network using Impacket and Remote Desktop Clients.
Before DEV-0861 began exfiltrating emails from Albanian systems between October 2021 and January 2022, it solidified its presence using a misconfigured service account which was a member of the local administrative group. The group’s previous exfiltration experience includes against organizations from Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE.
DEV-0166 then entered the picture and leveraged Jason.exe to exfiltrate emails between November 2021 and May 2022, followed by DEV-0842, which deployed ransomware and a wiper. Analysis revealed that the wiper had a similar license key and EldoS RawDisk driver as ZeroCleare, something Iran’s nation-state groups used in a 2019 attack against an energy company.
“The focus should be on the prevention of cyberattacks rather than their remediation. One way to prevent those attacks is to take back control of network access through the implementation of access encryption and segmentation,” O’Toole continued.
“We all know, that credentials offer criminals the keys to the digital kingdom, but if organizations encrypt their access, their credentials cannot be stolen or phished since their employees do not know them. This closes important doors on attackers while also giving organizations back control of their data.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON NATION-STATE CYBERATTACKS
- The National Security Threat of Digital ‘Open Borders’
- Chinese APT Group Ran Multi-year Cyber Espionage Operation, Stole U.S. Trade Secrets
- China-backed APT41 Breached Six U.S. State Government Networks Via Livestock App
- Kaspersky Uncloaks Cyber Espionage Campaign by China’s TA428 Since Jan 2022
- News Corp Hackers Suspected to be Associated with the Chinese State
