Wiper malware found in analysis of Iran-linked attacks on Albanian institutions

During the wave of attacks on Albanian organizations earlier in December, Iran-linked hackers used wiper malware that researchers are calling No-Justice.

The attacks, attributed to the Iranian threat actor Homeland Justice, targeted the Albanian parliament, two local telecom companies (ONE Albania and Eagle Mobile), and Albania’s flag air carrier (Air Albania). The hackers claimed to have stolen data from the targeted systems, but this claim has not been confirmed yet.

Researchers at the Israel-based cybersecurity firm ClearSky identified two main tools used in this campaign: No-Justice, which can crash the targeted Windows operating system “in a way that it cannot be rebooted,” and a PowerShell script designed “to copy and propagate the wiper to other machines in the organizational network before its activation.”

No-Justice had a valid digital signature to appear legitimate and required administrator privileges to wipe the data from the victim’s computer, researchers said.

The hackers likely used publicly available tools for the attack, including a set of network communication software utilities called Plink; a tool named RevSocks, employed for data exfiltration, command and control, or maintaining persistent access in a compromised network; and the Windows 2000 resource kit, which can be used for reconnaissance and persistent remote access.

The extent of the damage is still not clear. Earlier in December, local media reported that during the attack on the parliament, hackers attempted to interfere with the infrastructure and delete data but were unsuccessful.

ClearSky estimates that Homeland Justice’s operations may threaten other countries.

The latest attacks on Albania were a possible retaliation for its government sheltering members of the Iranian opposition group Mujahedeen-e-Khalq, or MEK, in the Albanian county of Durrës — the hackers named their campaign “Destroy Durres Military Camp.”

According to ClearSky’s report, the attack on the Albanian parliament followed the publication of an image showing Albanian parliament members together with Mariam Rajavi, president of MEK.

Homeland Justice launched its first campaign against Albania last July, targeting the country’s e-government systems right before MEK’s planned conference. The conference was canceled following the attack.

In September, Albania reported that hackers linked to Iran's government targeted computer systems used by the national police to track individuals entering and leaving the country. The attack prompted authorities to shut down computer control systems at border crossings and airports.

Researchers described Homeland Justice as an “Iranian psychological operation group.” It is likely state-sponsored.