The cyber attack on the Albanian government suggests a new Iranian aggression

Tirana, Albania.
Zoom in / Tirana, Albania.

Pavel Toczynski | Getty Images

In mid-July, a cyber attack on the Albanian government knocked state websites and public services out of action for hours. With Russia’s ongoing war in Ukraine, the Kremlin may seem like the most likely suspect. But research released Thursday by threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran’s spying operations and digital meddling have occurred around the world, Mandiant’s researchers say a disruptive attack from Iran on a NATO member is a noteworthy escalation.

The digital attacks on Albania on July 17 preceded the “World Summit of Free Iran”, a conference to be held in the city of Manëz, in western Albania, on July 23 and 24. The summit was affiliated with the Iranian opposition group Mujahadeen-e-Khalq, or the People’s Mojahedin Organization of Iran (often abbreviated MEK, PMOI or MKO). The conference was postponed to the day before the scheduled start due to reported and unspecified “terrorist” threats.

Mandiant researchers say the attackers distributed Roadsweep family ransomware and may also have used a previously unknown backdoor, dubbed Chimneysweep, as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and the activity of actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.

“This is an aggressive escalation step that we need to acknowledge,” says John Hultquist, Mandiant’s vice president of intelligence. “Iranian espionage is happening all over the world all the time. The difference here is that this isn’t spying. These are disruptive attacks, affecting the lives of everyday Albanians living within the NATO alliance. And it was essentially a coercive attack to force the government’s hand. “

Iran has conducted aggressive hacking campaigns in the Middle East and specifically Israel, and its state-backed hackers have penetrated and probed manufacturing, supply and critical infrastructure organizations. In November 2021, the governments of the United States and Australia warned that Iranian hackers were actively working to gain access to a range of networks related to transportation, health care and public health entities, among others. “These Iranian government-sponsored APT actors can leverage this access for subsequent operations, such as data exfiltration or encryption, ransomware and extortion,” the Cyber ​​Security and Information Agency wrote at the time. infrastructure of the Department of Homeland Security.

However, Tehran limited how far its attacks went, largely by sticking to data exfiltration and reconnaissance on the global stage. The country, however, has participated in leverage operations, disinformation campaigns, and efforts to meddle in foreign elections, including targeting the United States.

“We have grown accustomed to seeing Iran aggressive in the Middle East, where that activity has never stopped, but outside the Middle East they have been much more moderate,” says Hultquist. “I am concerned that they may be more willing to exploit their capabilities outside the region. And they clearly have no qualms about targeting NATO states, which suggests to me that whatever deterrents we believe exist between us and may not exist at all. “

With Iran claiming it now has the capability to produce nuclear warheads and the country’s representatives meeting with US officials in Vienna on a possible revival of the 2015 nuclear deal between the countries, any signs of Iran’s possible intentions and risk tolerance when it comes to dealing with NATO are significant.

This story originally appeared on