An empty Iranian embassy building in Albania’s capital city Tirana was raided by counter-terrorism police today as officers search for evidence of links to a cyberattack carried out in July. The hack forced the government to shut down a number of services and saw politicians’ data released to the public, and has caused Albania to sever diplomatic ties with Iran.
Albania cut ties with Iran yesterday after prime minister Edi Rama blamed it for a cyberattack in July and ordered diplomats to leave within 24 hours. “This extreme response is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyse public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country,” Rama said in a video statement.
Iranian officials had been seen throwing papers into a rusty barrel and setting it alight inside the building just before they left and closed the embassy, local journalists have reported. Police entered the building wearing helmets and carrying rifles immediately after a pair of cars with diplomatic plates left, the reports suggest. Albania, the US and the UK have all blamed Iran for the July attack.
The “unprecedented and dangerous” cyberattack on July 15 saw officials suspend government websites and other official systems to prevent them from further damage and stop further data leaks. The websites of the Albanian Parliament and the prime minister’s office, as well as ‘e-Albania’, a portal used by residents to access a range of public services, came under what has been described as a “synchronised and sophisticated attack”.
Attackers leaked Albanian government data, including details of emails from the prime minister and Ministry of Foreign Affairs and personal information linked to opposition politicians including names, social security numbers and email addresses.
Albania cyberattack: Iran could face further sanctions
Relations between Albania and Iran have been tense since 2014 when Albania took in 3,000 members of the People’s Mujahideen Organisation of Iran, an exiled opposition group who had settled in a camp near Durres, the main port of Albania.
Officials in the Iranian capital Tehran have condemned Albania’s decision to expel diplomats and cut ties, saying the claims that the country led the cyberattack are “baseless”.
The US and UK have both condemned the attack, with Washington officials blaming Iran and promising to “take further action to hold Iran accountable for actions that threaten the security of a US ally”.
Mandiant, a US-based cybersecurity company, first spotted the hack in July and said the group appeared to target Iranian dissidents in Albania with a “complex attack which used malicious data-wiping software”.
“This is possibly the strongest public response to a cyberattack we have ever seen,” John Hultquist, vice president of intelligence at Mandiant, told Reuters in an emailed statement. “While we have seen a host of other diplomatic consequences in the past, they have not been as severe or broad as this action”.
The UK’s new foreign secretary James Cleverly said Iran’s reckless actions showed a “blatant disregard for the Albanian people, severely restricting their ability to access essential public services”, adding that the UK would support Albania as a Nato ally and “valuable partner”.
The UK’s National Cyber Security Centre (NCSC) found that Iranian state-linked hackers were “almost certainly responsible” for the attack, assessing Iran as an “aggressive and capable cyber actor” with operations conducted by a complex and fluid network of groups with different degrees of association with the Iranian state.
British officials say this is just the latest in a line of “increasingly reckless” actions by Iran with cyberattacks from the country employing a number of powerful disruptive and destructive tools.
Previous attacks linked to Iranian hackers including one from February this year involving a group known as MuddyWater, that had been conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organisations across sectors in Asia, Africa, Europe, and North America.
In May, the Port of London Authority suffered a cyberattack carried out by Altahrea Team, a gang thought to be based in Iran, which has also targeted infrastructure in Israel.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.