Iranian hackers likely behind disruptive cyber attacks on Albanian government


A threat actor working to achieve Iranian goals is believed to have been behind a series of disruptive cyber attacks on Albanian government services in mid-July 2022.

Cybersecurity Company Mandiant said the malicious activity against a NATO state represented a “geographical expansion of Iran’s disruptive cyber operations.”

The July 17th attacksAccording to the Albanian National Agency for the Information Society, the government has forced the government to “temporarily close access to online public services and other government websites” due to a “synchronized and sophisticated cybercriminal attack from outside Albania”.

The politically motivated disruptive operation, according to Mandiant, involved the deployment of a new ransomware family called ROADSWEEP with a ransom note that read, “Why should our taxes be spent on the benefit of DURRES terrorists?”

A front called HomeLand Justice has since taken credit for the cyber offensive, with the group also alleged to have used wiper malware in the attacks. While the exact nature of the wiper is still unclear, Mandiant said an Albanian user submitted a sample for what’s called ZeroClare on July 19, coinciding with the attacks.

ZeroClear, first documented by IBM in December 2019 as part of a campaign targeting the industrial and energy sectors in the Middle East, is designed to wipe the master boot record (MBR) and disk partitions on Windows-based machines. It is believed to be a joint effort between several Iranian nation-state actors, including: oil platform (also known as APT34, ITG13 or Helix Kitten).

Also deployed in the Albanian attacks was a previously unknown backdoor called CHIMNEYSWEEP that can take screenshots, display and collect files, spawn a reverse shell, and support keylogging functionality.

The implant not only shares numerous code-overlapping codes with ROADSWEEP, but is delivered to the system via a self-extracting archive alongside fake Microsoft Word documents containing images of Massoud Rajavicthe former leader of the People’s Mojahedin Organization of Iran (MEK).

The earliest versions of CHIMNEYSWEEP date back to 2012, and there is evidence that the malware may have been used in attacks targeting Farsi and Arabic speakers.

The cybersecurity firm, which was acquired by Google earlier this year, said it didn’t have enough evidence to link the break-ins to a named enemy collective, but noted with moderate confidence that one or more bad actors supporting Iran’s objectives , being involved.

The connections with Iran stem from the fact that the attacks took place less than a week prior to the World Summit of Free Iran conference on July 23-24 near the port city of Durres by entities opposing the Iranian government, including in particular the members of the MEK.

“Using ransomware to conduct a politically motivated disruptive operation against the government websites and civilian services of a NATO member state in the same week a conference of Iranian opposition groups was due to take place would be a particularly brutal operation by Iran nexus threat actors,” the researchers said.

The findings also come two months after Iran’s Advanced Persistent Threat (APT) group was tracked as Charming Kitten (aka Phosphorus) linked on an attack directed against an undisclosed southern US construction company