CISA: Iranian hackers spent 14 months in Albanian gov’t network before launching ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI said on Wednesday that hackers connected to Iran’s military spent 14 months inside the networks of the Albanian government before launching a ransomware attack that caused widespread damage in July.

The FBI did not specify which Iranian hacking group was behind the incident but explained that in their investigation, they found the hackers exploited an Internet-facing Microsoft SharePoint through CVE-2019-0604.

Cybersecurity agencies classified CVE-2019-0604 as one of the most exploited bugs throughout 2020 and has been abused by both nation-states and ransomware gangs

According to the alert, the hackers were able to maintain continuous access to the network for more than a year, frequently stealing emails throughout 2021. By May 2022, the actors began moving laterally and examining the network, performing wider credential theft across Albanian government networks. 

This all preceded the July cyberattack that crippled the country’s government. The FBI confirmed reports from Reuters and researchers that the attacks were launched due to Albania’s involvement with the Mujahideen-e Khalq, known as MEK.

Albania has allowed about 3,000 members of the group to settle near Durres, the country's main port.

The agencies said that in July 2022, the hackers “launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops.” 

On Sunday, Iranian President Ebrahim Raisi was asked about the group and his connections to 1988 prison executions that took place while he was the deputy prosecutor in Tehran. Many of those executed were members of MEK, according to several rights groups.

Raisi told 60 Minutes’ Lesley Stahl the information was “allegations and claims made by a terrorist group.”

CISA and the FBI said that when network defenders identified and began to respond to the ransomware activity in July, the cyber actors deployed “a version of ZeroCleare destructive malware.”

“In June 2022, HomeLand Justice created a website and multiple social media profiles posting antiMEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022, HomeLand Justice posted videos of the cyber attack on their website.”

The alert explains that from late to July to the middle of August, the HomeLand Justice social media accounts began advertising the sale of data stolen from the Albanian government.

They even posted a poll asking people to vote on what data should be leaked first, typically releasing .zip files or videos of recordings. Nine days ago, the hackers launched another attack on the government using some of the same malware deployed in the first attack. The attacks came after Albania severed diplomatic ties with Iran over the July hacks. 

The alert notes that the hackers used “GoXML.exe” – a ransomware style file encryptor. It is “digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC, a subsidiary of Saudi Telecommunications Company (STC),” according to the agencies. 

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on Iran’s primary intelligence agency and its top official two weeks ago for orchestrating the July attack.

The most recent attack struck the country’s Total Information Management System, or TIMS, which helps automate things like passport checks and cross-referencing people on fugitive databases.

The country’s Interior Ministry, in statements provided to the media, said the attack prompted authorities to shut down computer control systems at border crossings and airports.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.