In mid-July, a cyberattack on the Albanian government knocked out state websites and public services for hours. With Russia’s war raging in Ukraine, the Kremlin might seem like the most likely suspect. But research published on Thursday by the threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran’s espionage operations and digital meddling have shown up all over the world, Mandiant researchers say that a disruptive attack from Iran on a NATO member is a noteworthy escalation.
The digital attacks targeting Albania on July 17 came ahead of the “World Summit of Free Iran,” a conference scheduled to convene in the town of Manëz in western Albania on July 23 and 24. The summit was affiliated with the Iranian opposition group Mujahideen- e-Khalq, or the People’s Mojahedin Organization of Iran (often abbreviated MEK, PMOI, or MKO). The conference was postponed the day before it was set to begin because of reported, unspecified “terrorist” threats.
Mandiant researchers say that attackers deployed ransomware from the Roadsweep family and may have also utilized a previously unknown backdoor, dubbed Chimneysweep, as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and activity from actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.
“This is an aggressive escalatory step that we have to recognize,” says John Hultquist, Mandiant’s vice president of intelligence. “Iranian espionage happens all the time all over the world. The difference here is this isn’t espionage. These are disruptive attacks, which affect the lives of everyday Albanians who live within the NATO alliance. And it was essentially a coercive attack to force the hand of the government.”
Iran has conducted aggressive hacking campaigns in the Middle East and particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply, and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively working to gain access to an array of networks related to transportation, health care, and public health entities, among others. “These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency wrote at the time.
Tehran has limited how far its attacks have gone, though, largely keeping to data exfiltration and reconnaissance on the global stage. The country has, however, participated in influence operations, disinformation campaigns, and efforts to meddle in foreign elections, including targeting the US.
“We’ve become used to seeing Iran being aggressive in the Middle East where that activity just has never stopped, but outside of the Middle East they’ve been far more restrained,” Hultquist says. “I’m concerned that they may be more willing to leverage their capability outside of the region. And they clearly have no qualms about targeting NATO states, which suggests to me that whatever deterrents we believe exist between us and them may not exist at all.”
With Iran claiming that it now has the ability to produce nuclear warheads, and representatives from the country meeting with US officials in Vienna about a possible revival of the 2015 nuclear deal between the countries, any signal about Iran’s possible intentions and risk tolerance when it comes to dealing with NATO are significant.