Cyber ​​attack on Albanian government suggests new Iranian aggression

Tirana, Albania.
enlarge / Tirana, Albania.

Pawel Toczynski | Getty Images

In mid-July, a cyber attack on the Albanian government shut down state websites and public services for hours. With the Russian war raging in Ukraine, the Kremlin may seem the most likely suspect. But research published Thursday by the intelligence agency Mandiant attributes the attack to Iran. And as Tehran’s spy operations and digital interference have surfaced around the world, Mandiant researchers say Iran’s disruptive attack on a NATO member is a remarkable escalation.

The digital attacks on Albania on July 17 came before the ‘World Summit of Free Iran’, a conference that will take place on July 23 and 24 in the city of Manez in western Albania. The summit was affiliated with the Iranian opposition group Mujahadeen-e-Khalq, or the People’s Mojahedin Organization of Iran (often abbreviated as MEK, PMOI, or MKO). The conference was postponed the day before it was due to begin due to reported, unspecified “terrorist” threats.

Mandiant researchers say attackers have deployed ransomware from the Roadsweep family and may have also used a previously unknown backdoor called Chimneysweep, as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and activities by actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant said.

“This is an aggressive escalating move that we must recognize,” said John Hultquist, vice president of intelligence at Mandiant. “Iranian espionage is happening all over the world all the time. The difference is that this is not espionage. These are disruptive attacks, affecting the lives of everyday Albanians living within the NATO alliance. And it was essentially a compulsion to force the government’s hand.”

Iran has conducted aggressive hacking campaigns in the Middle East and especially Israel, and its state-backed hackers have penetrated and investigated manufacturing, supply and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively trying to gain access to a range of networks related to transportation, healthcare and public health agencies, among others. “These Iranian government-sponsored APT actors can use this access for follow-up operations, such as data exfiltration or encryption, ransomware, and extortion,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency wrote at the time.

However, Tehran has limited how far its attacks have gone, largely by adhering to data exfiltration and reconnaissance on the global stage. However, the country has participated in influence operations, disinformation campaigns and attempts to interfere in foreign elections, including those targeting the US.

“We’ve gotten used to Iran being aggressive in the Middle East where that activity just never stopped, but outside the Middle East they’re much more restrained,” Hultquist said. “I’m afraid they’re more willing to leverage their capabilities outside of the region. And they clearly have no qualms about targeting NATO states, suggesting to me that whatever deterrent between us and them may not exist at all.”

As Iran claims it is now capable of producing nuclear warheads and representatives of the country are meeting with US officials in Vienna about a possible revival of the 2015 nuclear deal between the countries, any signal about Iran’s possible intentions and risk tolerance as when it comes to dealing with NATO are important.

This story originally appeared on

Leave a Comment