Analyzing the Recent Large-Scale Cyberattack Against the Albanian Government
Evidence suggests Iranian APT involvement
By SIBRU (Discord)
On July 17, 2022, Albania experienced the most aggressive cyber attack in its history. At first, the country had only experienced DDoS attacks on a few targets in the private and government sector, but the most recent attack disrupted the entire country’s online services for weeks. A hacktivist group by the name of ‘@homelandjustice’ claimed responsibility for the attack, and started posting leaks and videos from the hack to their website (homelandjustice.ru), Twitter (@homelandjustic1), and Telegram channel (@homelandjustice). The group has shown hostility towards the People's Mojahedin Organization of Iran (PMOI, MEK, MKO) - a political-militant organization that advocates overthrowing the current Iranian government. Since early 2013 until 2016, Albania, under the request of the United States and NATO, has granted political asylum to approximately 3,000 members of the organization and their current headquarters is in Manëz, Durrës, Albania (41°25′36″N 19°34′26″E). The organization holds annual meetings with the other branches located around the world, with the meeting for this year scheduled to take place on July 23-24. The cyberattack started one week before the scheduled meeting. According to Mandiant, attackers deployed ransomware from the Roadsweep family, utilized a previously unknown backdoor, called Chimneysweep, as well as a new strain of the Zeroclear wiper - all indicators of Iranian APTs.
Keep reading with a 7-day free trial
Subscribe to Overt Operator to keep reading this post and get 7 days of free access to the full post archives.