The Treasury Department announced sanctions on Friday against Iran’s Ministry of Intelligence and Security and its Minister of Intelligence in response to “cyber-enabled activities against the United States and its allies.”
The announcement comes two days after the Albanian Prime Minister Edi Rama formally blamed the Iranian government for the attack and took the unprecedented step of severing diplomatic relations with Iran based on the cyberattack, giving Iranian personnel 24 hours to leave the country.
“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in Friday’s statement. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
Nasser Kanaani, a spokesperson for the Iranian Foreign Ministry “strongly condemned the baseless accusations” from the U.S. and the British governments Thursday, according to an Iranian government statement. Kanaani also “warned against any political adventurism against Iran with these ridiculous excuses and emphasized Iran’s full readiness to deal decisively, immediately and regretfully with any possible conspiracy,” the statement read.
Multiple groups made up the overall operation that targeted Albanian government systems with destructive hacks in July, Microsoft’s Security Threat Intelligence Center said in a detailed report published Thursday.
The attacks on Albania occurred after a string of attacks on Iran, which the Iranian government associated with the Mujahedin-e Khalq (MEK), an opposition group the Iranian government considers terrorists.
The group claiming responsibility for the July attacks on Albania claimed to be targeting Albania for hosting the “terrorists of Durres,” a reference to the MEK refugees who live in a camp in Durres, a county in Albania. MEK was set to host a conference July 23 and 24 before it was cancelled due to threats of violence.
John Hultquist, the vice president of intelligence for cybersecurity firm Mandiant, said in a statement Friday that Iran’s Ministry of Intelligence and Security “carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC. They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable PII. Furthermore, they have a history of targeting the MeK, the group at the center of the Albanian incident.
“These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain,” Hultquist added. “Those operations were a template for the Albania attack.”
The July 15 attacks involved four distinct clusters of activity, Microsoft said, each responsible for a different aspect of the operation. One of the groups — which Microsoft tracks as DEV-0861 — likely gained access to Albanian networks in May 2021, according to the investigation. Around the same time the operation involved establishing two phony social media personas which, along with a third older account, were among the first to promote the stolen Albanian material after the attacks in July.
Gaby Portnoy, the director general of the Israeli National Cyber Directorate, said in a series of tweets Thursday that “Israel has been seeing Iranian attacks for several years,” and that “Iran’s incessant attempts to harm civilian cyberspace indiscriminately are not exacting a heavy enough price.”
Signs of the escalating cyber tit-for-tat between Iran and Israel were part of Iran’s attack on Albania, Microsoft said Thursday. DEV-0861 had been actively exfiltrating emails from various organizations in multiple countries, Microsoft said, including Israeli targets between June 2021 and May 2022.
Additionally, the logo of “Homeland Justice,” the front group established to distribute the stolen Albanian materials through a website and a Telegram channel, mocked the logo of Predatory Sparrow, a hacking group Iran associates with Israel that has carried out a series of sophisticated attacks on Iranian targets dating back to mid-2021.
Mandiant first pointed out the logo connection Aug. 4 in an analysis that was the first to publicly connect Iran to the attacks on Albania and discuss technical details associated with the ransomware used as part of the attack.
After Rama’s statement Wednesday and the international focus on the group, Homeland Justice temporarily switched its Telegram channel to private. The channel had been active previously, sharing stolen Albanian data as recently as Aug. 29. The group’s website remained active Thursday.
Registration data shows that the site is hosted by Cloudflare, a San Francisco-based tech security and services company under fire in recent days for hosting Kiwi Farms, a forum where users organized harassment campaigns.
Cloudflare CEO Matthew Prince defended the company’s decision not to drop the site in an Aug. 31 blog post as part of a philosophical belief in providing services for material that may be objectionable. Four days later the company relented and dropped Kiwi Farms, citing the potential for violence.
The company did not respond to a request Thursday about its association with the Homeland Justice website, whether it conflicts with the company’s policies, or whether any law enforcement or government agencies had asked Cloudflare to take the site down.
The Microsoft analysis also shared details of the wiper malware and ransomware used in the attack on Albania, both of which had forensic links to Iranian state and Iran-affiliated groups, the researchers said. The wiper, for instance, used the same license key and driver as “ZeroCleare,” wiper malware linked to Iran after a mid-2019 attack on a Middle East energy company by IBM’s X-Force security team.
“Analysis identified the use of vulnerabilities to implant web shells for persistence, reconnaissance actions, common credential harvesting techniques, defense evasion methods to disable security products, and a final attempt of actions on objective deploying encryption and wiping binaries,” the Microsoft researchers wrote. “The Iranian sponsored attempt at destruction had less than a 10% total impact on the customer environment.”