Iranian threat actor likely in Albania cyberattack, says US company

A cyberattack that temporarily shut down numerous Albanian government digital services and websites in mid-July was likely the work of pro-Iranian hackers seeking to disrupt an Iranian opposition group’s conference in Albania, a leading US cybersecurity firm said.

In a report, Mandiant expressed “moderate confidence” the attackers were acting in support of Tehran’s anti-dissident efforts based on several factors: The timing, the content of a social media channel used to claim responsibility, and similarities in software code used with malware long used to target Farsi and Arabic speakers.

The July 23-24 conference by the Iranian dissident group Mujahedeen-e-Khalq was in fact canceled following warnings from local authorities of a possible terrorist threat. Some 3,000 Iranian dissidents from the group, best known as MEK, live at Ashraf 3 camp in Manez, 30 kilometers (19 miles) west of Albania’s capital, Tirana.

The Free Iran World Summit was to have been held at the camp with US lawmakers among the invitees.

A group calling itself “HomeLand Justice” claimed credit for the cyberattack, which used ransomware to scramble data. Ransomware is best known for its use in for-profit criminal extortion but is being increasingly wielded for political ends, particularly by Iran.

The claim by “HomeLand Justice” came on a Telegram channel in which documents purported to be Albanian residence permits of MEK members were posted, along with video of the ransomware being activated. The channel alleged corruption in the Albanian government and used hashtags including #Manez.

“This activity poses an active threat to public and private organizations in other NATO member states,” Mandiant said. “As negotiations surrounding the Iran nuclear deal continue to stall, this activity indicates Iran may feel less restraint in conducting cyber network attack operations going forward.”

At the time, the Tirana government said the hackers’ method was identical with attacks last year in other NATO states including Germany, Lithuania, the Netherlands and Belgium.

Iran’s mission to the United Nations did not immediately respond to a request for comment Thursday.

The MEK began as a Marxist group opposing the rule of Shah Mohammad Reza Pahlavi in Iran. It supported the 1979 Islamic Revolution, but soon had a falling out with Grand Ayatollah Ruhollah Khomeini and turned against his clerical government, carrying out a series of assassinations and bombings in the Islamic Republic.

The MEK later fled into neighboring Iraq, leading many in Iran to oppose the group. Although now largely based in Albania, the group claims to operate a network inside Iran.

FacebookTwitterLinkedin

A cyberattack that temporarily shut down numerous Albanian government digital services and websites in mid-July was likely the work of pro-Iranian hackers seeking to disrupt an Iranian opposition group’s conference in Albania, a leading US cybersecurity firm said.

In a report, Mandiant expressed “moderate confidence” the attackers were acting in support of Tehran’s anti-dissident efforts based on several factors: The timing, the content of a social media channel used to claim responsibility, and similarities in software code used with malware long used to target Farsi and Arabic speakers.

The July 23-24 conference by the Iranian dissident group Mujahedeen-e-Khalq was in fact canceled following warnings from local authorities of a possible terrorist threat. Some 3,000 Iranian dissidents from the group, best known as MEK, live at Ashraf 3 camp in Manez, 30 kilometers (19 miles) west of Albania’s capital, Tirana.

The Free Iran World Summit was to have been held at the camp with US lawmakers among the invitees.

A group calling itself “HomeLand Justice” claimed credit for the cyberattack, which used ransomware to scramble data. Ransomware is best known for its use in for-profit criminal extortion but is being increasingly wielded for political ends, particularly by Iran.

The claim by “HomeLand Justice” came on a Telegram channel in which documents purported to be Albanian residence permits of MEK members were posted, along with video of the ransomware being activated. The channel alleged corruption in the Albanian government and used hashtags including #Manez.

“This activity poses an active threat to public and private organizations in other NATO member states,” Mandiant said. “As negotiations surrounding the Iran nuclear deal continue to stall, this activity indicates Iran may feel less restraint in conducting cyber network attack operations going forward.”

At the time, the Tirana government said the hackers’ method was identical with attacks last year in other NATO states including Germany, Lithuania, the Netherlands and Belgium.

Iran’s mission to the United Nations did not immediately respond to a request for comment Thursday.

The MEK began as a Marxist group opposing the rule of Shah Mohammad Reza Pahlavi in Iran. It supported the 1979 Islamic Revolution, but soon had a falling out with Grand Ayatollah Ruhollah Khomeini and turned against his clerical government, carrying out a series of assassinations and bombings in the Islamic Republic.

The MEK later fled into neighboring Iraq, leading many in Iran to oppose the group. Although now largely based in Albania, the group claims to operate a network inside Iran.

FacebookTwitterLinkedin