CISA: Iranian hackers spent 14 months on Albanian government network before launching ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said on Wednesday that hackers linked to the Iranian military spent 14 months inside Albanian government networks before launching a ransomware attack that caused considerable damage in July.

The FBI did not specify which Iranian hacking group was behind the incident, but said that in its investigation, it found that the hackers were exploiting a Microsoft SharePoint accessible on the Internet via CVE-2019-0604.

Cybersecurity agencies ranked CVE-2019-0604 as one of the most exploited bugs throughout 2020 and abused by nation states and ransomware gangs.

According the alerthackers were able to maintain continuous access to the network for over a year, frequently stealing emails throughout 2021. In May 2022, actors began moving laterally and examining the network, performing a theft broader credential on Albanian government networks.

This all preceded the July cyberattack that crippled the country’s government. The FBI has confirmed reports of Reuters and researchers that the attacks were launched due to Albania’s involvement with the Mujahideen-e Khalqknown as MEK.

Albania has allowed about 3,000 members of the group to settle near Durres, the country’s main port.

The agencies said that in July 2022, the hackers “launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktop computers.”

On Sunday, Iranian President Ebrahim Raisi was asked about the group and his links to the 1988 prison executions that took place while he was an assistant prosecutor in Tehran. Many of those executed were members of the MEKaccording several advocacy groups.

Raisi told 60 Minutes’ Lesley Stahl that the information was “allegations and claims made by a terrorist group”.

CISA and the FBI said that when network defenders identified and began responding to ransomware activity in July, cyber actors deployed “a version of the destructive ZeroCleare malware.”

“In June 2022, HomeLand Justice created a website and several social media profiles displaying anti-MEK messages. On July 18, 2022, HomeLand Justice claimed responsibility for the cyberattack on Albanian government infrastructure. On July 23, 2022, HomeLand Justice posted videos of the cyberattack on its website.

The alert explains that from late July to mid-August, HomeLand Justice’s social media accounts began advertising for the sale of data stolen from the Albanian government.

They even released a poll asking people to vote on which data to release first, usually posting .zip files or videos of recordings. Nine days ago, hackers launched another attack on the government using some of the same malware deployed in the first attack. The attacks came after Albania severed diplomatic ties with Iran following the July hacks.

The alert notes that the hackers used “GoXML.exe” – a ransomware-style file encryptor. It is “digitally signed with a certificate issued to Kuwait Telecommunications Company KSC, a subsidiary of Saudi Telecommunications Company (STC),” according to the agencies.

The US Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on Iran’s top intelligence agency and its top official two weeks ago for orchestrating the July attack.

The most recent attack hit the country’s Total Information Management System, or TIMS, which helps automate things like passport checks and matching people against leaky databases.

The country’s interior ministry, statements to the media, said the attack prompted authorities to shut down computer screening systems at border crossings and airports.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Comments are closed.