Iranian Group Likely Behind Albanian Government AttackGroup Published Ransomware Execution Video on Website
A cyberattack that temporarily paralyzed Albania's pivot to digital government likely came from Iranian hackers upset over a planned conference by a political-militant organization opposed to Tehran.
A mid-July cyberattack caused government portal e-Albania to go offline along with the prime ministerial and parliament websites (see: Cyberattack Affects Albanian Government E-Services: Report).
Cybersecurity researchers at Mandiant assess "with moderate confidence" that the attack was perpetuated by threat actors who have operated in support of Iranian goals. The attack involved a new ransomware family dubbed Roadsweep, spyware called Chimneysweep and possibly a new variant of Zeroclear wiper malware. The ransomware used in the attack is a newly discovered tool and uses the RC4 stream cipher to maliciously encrypt files. Zeroclear already has a reported link to Iranian threat actors who have used it to disrupt the industrial and energy sectors in the Middle East as recently as 2020.
If Iranian hackers were involved, a politically motivated disruption to citizen services of a NATO member state "would be a notably brazen operation," Mandiant says. Particularly with talks between Washington and Tehran on a nuclear deal apparently stalled, "Iran may feel less restraint in conducting cyber network attack operations going forward."
The attack occurred just days before members of the Mujahedin-e-Khalq, a group dedicated to overthrow of the Islamic Republic of Iran, were set to host a two-day conference in the Albanian town of Manëz. Members of MEK settled in Albania the past decade at the behest of the United States. The group ultimately canceled the conference "for security reasons," The Associated Press reported. The U.S. embassy in Tirana had advised U.S. citizens to avoid the event.
Analysis of the ransomware used in the attack shows it dropped a note that said, "Why should our taxes be spent on the benefit of DURRES terrorists?" Durrës is a port city, the second-most-populous city in Albania and close to Manëz. Iran designates MEK as a terrorist group, as did the U.S. government from 1997 through 2012.
A website claiming responsibility for the attacks set up by an entity calling itself "HomeLand Justice" posted a video of the ransomware being executed. It and a matching Telegram channel use banners identical to the wallpaper used by the ransomware and have the same political themes as the ransom note, Mandiant says.
homelandjustice.ru, implies it is run by Albanians, is still active and contains a threat that it will publish emails of Prime Minister Edi Rama. It shows documents that appear to belong to the Albanian government and resident permits that appear to belong to members of MEK.
Rama on July 24 tweeted that e-Albania was back online and that "no data was deleted."
Use of Wiper and Backdoor
Attackers likely deployed a spyware called Chimneysweep and possibly a new variant of the Zeroclear wiper in the attack, Mandiant says.
Zeroclear corrupts the file system using RawDisk driver, a legitimate commercial driver used for interacting with the files, disks and partitions.
Mandiant could not independently prove or disprove whether the sample of the Zeroclear payload it examined was used to attack Albanian government websites, but it says that it was previously reported to have links with Iran-nexus threat actors.
Chimneysweep's coding and decoy content links it to the possible involvement of Iran. It was spotted in August 2021 using an image of former MEK leader Massoud Rajavi as decoy content. It also shared code with another spyware application called Roadsweep that has targeted Farsi and Arabic speakers since 2021.
The application is capable of taking screenshots, listing and collecting files and spawning a reverse shell, and it supports keylogging functionality.