By Eyal Pinko, Ph.D
On September 6, 2022, the Albanian government cut diplomatic ties with the Islamic Republic of Iran and issued an ultimatum to the diplomatic staff at the Iranian embassy in the Albanian capital, Tirana, to leave the country within 24 hours.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported on the wave of hacking attacks in Albania, saying Iranian attackers gained access to Albanian systems some 14 months ago, long before the actual attacks started.
The first cyber-attack was reported on July 13, when Albanian government services became unavailable for some days.
An FBI investigation indicates Iranian state cyber attack included a ransomware-style file encryptor and disk-wiping malware. Additionally, the actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating email content.
From May to June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In June and August, messages against the Iranian dissident group hosted in Albania, the People's Mujahedin of Iran, MEK, were released.
The hackers also posted polls on their channels, the website called "Homeland Justice" and a Telegram group with the same name, in which they asked Albanians what they would like them to publish.
One poll asked if they would like them to publish Albanian Prime Minister Edi Rama's emails.
On July 2022, the Albanian National Agency for Information Services was forced to shut down all online public services and government websites because of the attack.
The shutdown has affected the websites of parliament and the prime minister's office, as well as e-Albania—the government portal that all Albanians, as well as foreign residents and investors, use to access a slew of public services.
In the media, portals supportive of the government have speculated that the attack came from Russia, while others have said Iran due to the government's sheltering of a dissident group of Iranians in a camp not far from the capital of Tirana.
In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs (Tactics, Techniques, and Procedures) and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.
Albanian PM Rama on September 7 expelled Iran's diplomats from the country after the massive cyber-attack on the government's key servers in July.
After blaming Iran for July's cyber-attack, fresh attacks occurred two days later, targeting the Traveller Information Management System, TIMS. The attack caused queues at border points, where the registration of citizens and vehicles entering and leaving the country had to be done manually.
The cyber attacks continued on September 19, when the former Chief of Police's emails were released by a group that calls itself "Homeland Justice."
As we know from past cases, the Iranian attacking groups and other proxies' cyber-attacking teams (such as Hezbollah and Hamas) will get encouraged to re-attack by the successful attacks on one hand. On the other hand, the political moves from the Albanian government will encourage the Iranians and their proxies to re-attack Albania's national infrastructure as an act of revenge.
The cyber attack should be a waking-up call for nations to adopt national strategies and means to enforce and strengthen national cyber resilience.
The way between Russia and Ukraine and the Russian cyber attacks against the EU and NATO countries are strengthening this need.
In our world, cyber security is one of the most essential prerequisites of running a nation-state. It is directly linked to the economic, political, military, and societal security of any state.
The EU and NATO counties, focusing on the Balkan countries and governments, should understand that national security depends on cyber assets – networks, servers, information, and information systems. For example, countries' national security depends on the energy grid, water system, healthcare system, financial systems, transportation, and more – all those are operated and run via the internet and other networks (including cellular networks).
What should be the initial step to building national cyber resilience?
National cyber security agencies should develop a cyber security strategy based on threat, risk, and impact analysis. The national cyber strategy should be built on three layers – technological solutions, national preparedness, and national resilience.
The implementation of this strategy should create a national eco-system, including regulation, national security operation center, awareness and training, technologies, war games, knowledge management, crisis management methodology, cyber intelligence solutions, and more.
The Iranian attack on Albania's national infrastructure is a wake-up call for the importance of implementing an efficient national cyber security strategy.
The Cyber winter is coming.