Iran-linked incidents spurred Cyber Command to send 'hunt forward' team to Albania

The U.S. military sent a team of cyber operators to Albania last year to help defend government networks there after a pair of digital attacks that were blamed on Iran.

The Cyber National Mission Force (CNMF) deployed a team of two dozen personnel on a “hunt forward” operation following the second hack, which took place in September, and returned before the end of 2022. A CNMF spokesperson declined to comment on the specific number, or kinds of networks, that were examined.

The three-month mission was part of a now-years-long effort by the CNMF, a unit of U.S. Cyber Command, to work with foreign governments that want help shoring up their systems. Since 2018, teams have deployed 44 times to 22 countries and conducted operations on nearly 70 networks around the globe, most notably in Ukraine months before Russia’s invasion.

“These hunts bring us closer to adversary activity to better understand and then defend ourselves, but they also bring the U.S. closer to our partners and allies,” Army Maj. Gen. William Hartman, CNMF’s commander, said in a statement Thursday. He visited the country again this week.

The Albania mission was CNMF’s first in that country, and it also represented the first time a publicly disclosed hunt-forward mission was explicitly meant to harden systems because of Iranian digital activity, not Russian. Moscow is by far considered to be more aggressive in cyberspace than Iran.

Tuesday’s disclosure comes months after the two online incidents raised questions about whether Albania, a NATO member, would invoke Article Five — a declaration that could have brought the alliance’s other 29 states, including the U.S., into a conflict with Tehran.

The first hack occurred in July, prior to a conference in Albania slated to be attended by members of the Mujahideen-e Khalq, also known as MEK, an Iranian group that Tehran considers a terrorist organization. The incident knocked some government services offline, causing officials to scramble to recover.

In September, Albania’s Prime Minister Edi Rama announced a second cyberattack had been “carried out by the same aggressors.” That attack hit the country’s Total Information Management System, which helps automate things like passport checks and cross-referencing people on fugitive databases.

The Cybersecurity and Infrastructure Security Agency (CISA) later said the Iranian hackers had been inside Albania's networks for over a year.

The Biden administration sanctioned Iran’s spy agency for carrying out the July hack and condemned Tehran for the second breach. Albania, meanwhile, severed diplomatic relations with Iran.

“The cooperation with U.S. Cyber Command was very effective and made us feel safe by assuring that we have followed all the right steps in responding to these sophisticated attacks,” Mirlinda Karçanaj, general director of National Agency for Information Society, whose organization coordinates the Albanian government’s development and management of state information systems, said in a statement.

Dr. Igli Tafa, general director and national cyber coordinator of the National Authority for Electronic Certification and Cyber Security of Albania, said he would work with Karçanaj’s agency to “establish a resilient ecosystem and a green zone in our public infrastructures.”

The hunt forward concept has won considerable support from Capitol Hill for its ability to foster digital cooperation among nations and allow Cyber Command to glean the digital tactics of adversary nations firsthand. Last year’s $858 billion defense policy bill authorized an additional $44 million for the effort.

Earlier this month, Cyber Command and NSA chief Gen. Paul Nakasone told lawmakers the effort “builds tremendous confidence between nations.”

“When the United States deploys a hunt forward team to country X, country X knows that the United States cares,” he told the Senate Armed Services Committee. “And it is, for us, being able to work with a partner to understand their requirements and then also build a higher bar of cybersecurity.”