US sanctions Iran intelligence agency over Albania cyberattack
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday imposed sanctions on Iran's primary intelligence agency and its top official less than two days after Albania cut diplomatic ties with Tehran over an attack on the country's government websites.
Iran's Ministry of Intelligence and Security (MOIS), led by Minister of Intelligence Esmaeil Khatib, were accused of sponsoring the July cyberattack against Albania, a NATO member, as well as engaging in malicious cyber activities targeting the U.S. and its allies.
“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson said in a press release. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
On Wednesday, Albania's Prime Minister Edi Rama said "without a shadow of doubt" the cyberattack was "orchestrated and sponsored" by Iran, adding that it shared key evidence of the investigation with strategic allies and friendly countries. Rama asked that all Iran's diplomatic, technical and administrative, and security staff leave Albania within 24 hours.
We are designating Iran’s Ministry of Intelligence and Security and its Minister for engaging in cyber-enabled activities against the U.S. and our allies. We won’t tolerate cyberattacks targeting the U.S. or our allies’ interests, infrastructure, or services.
— Secretary Antony Blinken (@SecBlinken) September 9, 2022
"This extreme response, one that is unwanted but totally forced on us, is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyse public services, erase digital systems and hack into State records, steal Government intranet electronic communication and stir chaos and insecurity in the country," he said.
Later that day, the U.S. condemned the attack and alluded to "further action[s] to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace."
According to OFAC's designation, MOIS directs "several networks" of hacking groups that have carried out ransomware attacks and cyber espionage in support of Iran's political objectives. One of those groups — known as APT39 — was sanctioned by OFAC in September 2020 for launching malware campaigns that targeted several U.S. companies, as well as orchestrating the widespread theft of personal identifying information in support of the country's surveillance operations.
Another group known as MuddyWater has been linked to a range of attacks in recent years targeting companies in the telecommunications, defense, local government, and oil and natural gas sectors. In January, U.S. Cyber Command provided technical details on the group, which it said was a "subordinate element" within MOIS.
"Iran’s cyberattacks targeting civilian government services and critical infrastructure sectors can cause grave damage to these services and disregard norms of responsible peacetime state behavior in cyberspace," U.S. Secretary of State Antony Blinken said in a statement Friday. "The United States will continue to use all appropriate tools to counter cyberattacks against the United States and our Allies."
As a result of Friday's designation, U.S. citizens are effectively prohibited from engaging in transactions with MOIS and Khatib, and non-U.S. citizens that engage in transactions with them may themselves be exposed to sanctions. Property and interests in property of designated targets are also blocked.
In recent years, sanctions have emerged as a popular tool for deterring nation-state and state-sponsored hackers. OFAC has issued sanctions against several Russian organizations and individuals who attempted to influence the 2020 presidential election, North Korea's Lazarus Group, as well as a cryptocurrency mixing service that helped Lazarus Group launder its stolen funds.
Adam Janofsky
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.