top of page

Analyzing the Recent Large-Scale Cyberattack Against the Albanian Government

By SIBRU (Discord)

Executive Summary

On July 17, 2022, Albania experienced the most aggressive cyber attack in its history. At first, the country had only experienced DDoS attacks on a few targets in the private and government sector, but the most recent attack disrupted the entire country’s online services for weeks. A hacktivist group by the name of ‘@homelandjustice’ claimed responsibility for the attack, and started posting leaks and videos from the hack to their website (homelandjustice.ru), Twitter (@homelandjustic1), and Telegram channel (@homelandjustice). The group has shown hostility towards the People's Mojahedin Organization of Iran (PMOI, MEK, MKO) - a political-militant organization that advocates overthrowing the current Iranian government. Since early 2013 until 2016, Albania, under the request of the United States and NATO, has granted political asylum to approximately 3,000 members of the organization and their current headquarters is in Manëz, Durrës, Albania (41°25′36″N 19°34′26″E). The organization holds annual meetings with the other branches located around the world, with the meeting for this year scheduled to take place on July 23-24. The cyberattack started one week before the scheduled meeting. According to Mandiant, attackers deployed ransomware from the Roadsweep family, utilized a previously unknown backdoor, called Chimneysweep, as well as a new strain of the Zeroclear wiper - all indicators of Iranian APTs.

 

Timeline of Events


On July 17, 2022, a “wide and complex” cyberattack blocked all of Albania’s public online services, including the main Albanian E-Gov platform ‘e-albania.al’, which offers online services to all the citizens of the country.1 AKSHI (Agjencia Kombëtare e Shoqërisë së Informacionit) - The National Agency for Information Society, informed the public in a press release that the agency was dealing with “a synchronized and sophisticated cyber attack from outside Albania”, and that they had been forced to shut down government systems until the attacks were neutralized.2


The next day, July 18, the Prime Minister’s office stated in a press release that the attack had been picked up by the authorities around Friday, July 15, at noon and that the systems were promptly “isolated” to avoid any leaks. The statement also mentioned that the methodology used by the perpetrators resembled previous ransomware attacks that targeted Ukraine, Germany, Lithuania, Malta, the Netherlands, and Belgium. The Prime Minister’s office also confirmed that local agencies, law enforcement, and cybersecurity experts are working closely with the Microsoft DART team and Jones Group International to resolve the situation.3


On July 20, three days after the attack started, ‘top-channel.tv’ released an article stating that the attackers were allegedly asking for 30 million Euros as a ransom. The Prime Minister denied the allegations and urged the news outlet to not spread misinformation. Since the time of writing, this article has been deleted.4


On July 23, a hacktivist group by the name of ‘Homeland Justice’ (homelandjustice.ru) registered a domain and started dumping leaked Albanian government files, two Ukrainian citizen IDs and passports, a video showing what appears to be remote access to Hyper-V servers, and this banner:


In the following days, local media reported the attack, and screenshots of the website began to circulate on the main local outlets showing that the attackers had access to confidential government documents, personal IDs, internal communications of official institutions, and more.


Since July 28, almost all the services were back online (98%) according to an official government press release. The Vice Prime Minister and the head of AKSHI also stated that the government and other parties were now investigating the attack, adding that the FBI was also assisting.5


On July 29, the director of AKSHI, Linda Karaçanaj, mentioned the attack methodology for the first time. According to the investigation, the attack started as a ransomware decoy and proceeded with a ZeroCleare wipe out.6 It is still unclear how the attacker gained access and, at the time of writing, no one has elaborated on the details of the attack.


On August 2, Homeland Justice posted a link on both the website and Telegram which provided a file with various emails belonging to the Prime Minister, Edi Rama. The .zip file was 640MB and contained both Rama’s inbox and sent messages.

 

Analysis and Assessment


A WHOIS lookup on the website returned the following results:



The domain is registered under a ‘private registrar’ entity in Russia, adding an extra layer of difficulty to accurately track the source.


However, @Homelandjustice can be found on Telegram, TikTok, and Twitter.7 On the latter, the group has uploaded four videos of what appears to be Albanian speaking citizens burning pictures of suspected members of the MEK.



Further social media analysis found that the @Homelandjustice Twitter account was previously called ‘AnakinUriah’. This account used that username from May 19, 2022 to July 7, 2022 and later changed to ‘homelandjustice’ on July 15, 2022.


The Telegram account, which now counts more than 500 subscribers, actively shares government files, personal documents of Albanian citizens, and google translated messages in Albanian urging people to protest against the asylum of the MEK members in Durrës.


On August 4, researchers at the cybersecurity firm Mandiant have claimed that the attackers deployed ransomware from the Roadsweep family and may have also utilized a previously unknown backdoor, dubbed Chimneysweep, as well as a new strain of the Zeroclear wiper. This activity is indicative of known Iranian APT TTPs and represents a more aggressive posture against the NATO country.8

 

Albania-Iran Diplomatic Relations


@Homelandjustice is particularly hostile towards the People's Mojahedin Organization of Iran (MEK), with nearly all the postings on the website expressing hostility towards the organization. Roughly 3,000 members of the MEK have been given asylum in Albania since 2013 and most live in the city of Durrës in a high security compound. Tehran has continuously expressed its dissent towards the decision of the Albanian government to provide asylum to the MEK members.


Diplomatic relations between the two countries started to further deteriorate in 2018 when Tirana expelled two Iranian embassy officials, Mohammad Ali Arz Peimanemati and Seyed Ahmad Hosseini Alast, and the Iranian ambassador Gholamhossein Mohammadnia, with the argument that the pair were engaged in "activities that violate their diplomatic status".9


Again, in 2019, the Albanian Special Anti-Corruption Structure (SPAK) arrested Bijan Pooladrag, a former member of the MEK organization. Pooladrag is accused of spying for the Iranian secret service after allegedly conducting SIGINT operations against his former MEK peers.10


Finally, on August 1, 2022, two Iranian citizens flying from Germany to Albania were detained at the airport for 72 hours before being deported back to Germany. The two individuals named Afshin Kalantari and Soltani Batool were allegedly visiting Albania under the invitation of the Association for the Support of Iranians Living in Albania (ASILA) only to be stopped by the Albanian counterterrorism unit. ASILA is currently under investigation by SPAK for alleged connections to the Iranian government.


Afshin Kalantari and Soltani Batool

It might not be a coincidence that the attack started only a few days before the MEK annual global meeting, scheduled to take place on July 23 and 24, but was ultimately postponed following an official warning from the U.S. Embassy the day before.11 As of now, the Albanian government has not formally accused Iran of the hostile cyberattack, but evidence suggests that Tehran was likely involved.


MEK Calls for Regime Change at Annual Free Iran Event in Albania. July, 2019 - Iran Focus

Still, there is also the possibility that the attack took place in order to disrupt the Albanian government solely, considering that starting from May 1 of this year, all of the public services have been transferred online. Moreover, August is usually the deadline for business in Albania to submit fiscal records for tax purposes. That being said, it is not improbable that the attack may have been launched with the intention of disrupting the government on the busiest month of the fiscal year.

 

1https://abcnews.go.com/International/wireStory/cyberattack-blocks-albanias-public-online-services-87013604

2https://albaniandailynews.com/news/cyber-attacks-forces-akshi-close-government-online-systems

3https://albaniandailynews.com/news/pm-s-office-issues-statement-on-govt-online-systems-attack

4https://shqiptarja.com/lajm/hakerat-kerkuan-30-milione-euro-pas-sulmit-kibernetik-ne-platformat-qeveritare-rama-nuk-eshte-e-vertete-as-te-dhenat-nuk-jane-shkaterruar

5https://euronews.al/kryesore/2022/07/29/balluku-jep-detaje-nga-sulmi-kibernetik-shkalla-e-goditjes-ishte-masive/

6http://www.panorama.com.al/sulmi-kibernetik-drejtoresha-e-akshi-t-mbi-98-e-sherbimeve-online-jane-serish-funksionale-nuk-eshte-fshire-asnje-e-dhene-ne-servera/

7https://twitter.com/homelandjustic1/media

8https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1

9https://www.bbc.com/news/world-europe-46632612

10https://balkaninsight.com/2022/04/01/iranian-citizen-faces-terrorism-related-charges-in-albania/

11https://balkaninsight.com/2022/07/22/us-warns-of-threat-to-iranian-opposition-summit-in-albania/

bottom of page