The Federal Bureau of Investigation (FBI) and CISA said that one of the Iranian threat groups behind the destructive attack on the Albanian government’s network in July lurked inside its systems for roughly 14 months.
“A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware,” the two agencies revealed in a joint advisory published today.
“The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.”
The malicious actors behind the attack, collectively identified by the FBI as an Iranian-backed threat group named “HomeLand Justice,” attacked the Government of Albania in July 2022, 14 months after the initial breach, taking down multiple websites and services.
This month, the Iranian state hackers targeted the Government of Albania in a new series of cyber-attacks, using tactics and methods similar to the ones from the July attack.
The joint advisory provides additional technical details regarding HomeLand Justice’s malicious activity inside Albania’s government network, including using a compromised Microsoft Exchange account to find and exfiltrate credentials and large amounts of data.
Albania severs diplomatic relations over cyber-attack
Following the July attack, Albanian Prime Minister Edi Rama said the entire staff of the Embassy of Iran was asked to leave the country within 24 hours.
This decision comes after Albania announced it severed diplomatic relations with Iran after attributing the July attack to Iranian state hackers.
The U.S. government also blamed Iran for attacking Albania in July and said the country would be held accountable for threatening the security of a NATO ally.
The HomeLand Justice group claimed the attack on July 18 and, between late July and mid-August, it leaked information stolen from the Albanian government’s network.
“These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran,” the two agencies added today.
In July 2021, U.S. President Biden warned that cyber-attacks that lead to severe security breaches could also lead to a “real shooting war.”
Biden’s remarks came one month after a NATO statement from mid-June 2021 saying that cyber-attacks can be equivalent to “armed attacks” in some circumstances.