The cybersecurity firm, Mandiant, has reported that the malicious activity against a NATO state, Albania, indicated a geographic expansion of Iranian disruptive cyber operations.
The attacks that occurred on July 17, forced the government to take serious actions, which included temporarily closing access to online public services and other government websites. According to Albania’s National Agency of Information Society, these steps were necessary because they had suffered a sophisticated and synchronized cybercriminal attack that originated outside Albania’s borders.
Mandiant reports that this was a politically motivated disruptive operation, which deployed a new ransomware family called ROADSWEEP. This ransomware family came with a ransom note that read: Why should our taxes be spent on the benefit of DURRES terrorists?
A group with the front named HomeLand Justice has claimed credit for the cyber offense and allegedly claimed that they used a wiper malware in the attacks. The exact nature of the wiper is still unclear, but according to Mandiant, an Albanian user submitted a sample for a ZeroCleare on July 19. Therefore, coinciding with the attacks.
ZeroCleare is designed to wipe the MBR or the master boot record and disk partitions on a Windows-based machine. IBM first documented it as it was a part of a campaign that targeted industrial and energy sectors in the Middle East. It is believed that ZeroCleare is a collaborative effort between multiple Iranian nation-states.
In the Albanian attacks, the actors also deployed an unknown backdoor named CHIMNEYSWEEP. This backdoor was capable of many actions, including listing and collecting files, taking screenshots, spawning a reverse shell, and even supporting keylogging functionality.
Mandiant, which was acquired by Google recently, notes that they did not have enough evidence to link the intrusion to a named adversarial collective, but they were moderately confident in the fact that one or more nefarious actors were operating in support of Iran’s objectives.