Ransomware Used Against Albania Linked To Iran

The recent cyber attacks that disrupted government systems in NATO member Albania have been linked to Iran. The hackers who carried out  cyber attacks on Albanian government websites were acting in response to the Iranian opposition group Mojahedin-e Khalq’s appearance at a conference in of Iranian dissidents in the Albanian city of Durres.  Forensic analysis of these attacks by researchers at Mandiant has revealed a new types of ransomware being used. 

Mandiant found the ransomware after it had been uploaded from Albania to a public malware repository a few days after the cyber attack was launched and have named it 'Roadsweep'. 

While the researchers could not confirm that the ransomware was indeed used in the attack, the malware encrypts files on compromised systems and then drops a ransom note. Mandiant researchers consider that other NATO members could be targeted in similar operations.

They also detected a website and Telegram channel named ‘HomeLand Justice’, which took credit for a ransomware operation aimed at the Albanian government. The site implied that a group of Albanian citizens unhappy with their government were responsible. 

However, on closer examination, this group appears to be an Iranian organisation designated as a terrorist group by the US State Department.

Following a thorough investigation, the researchers were able to determine that the Roadsweep ransomware shared code with a back door named Chimneysweep that allows its operators to take screenshots, log keystrokes and steal files. It was uploaded to a public malware repository along with a sample of a wiper malware that Mandiant has named 'Zeroclear'. 

While Mandiant was unable to confirm that this malware was used in this operation, Zeroclear was previously used by Iran-linked threat actors for disruptive activities in the Middle East

Albania's experience highlights the vulnerability of national IT infrastructure without adequate resilience. "The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups' conference was set to take place would be a notably brazen operation by Iran-nexus threat actors," the researchers said.

Mandiant:    I-HLS:     Cyberscoop:   The Register:   Hacker News:     Security Week:      Industrial Cyber

You Might Also Read:

Israeli Government Websites Knocked Offline:

 

« Lazarus Targets FinTech Engineers With MacOS Malware
Technology To Combat Human Trafficking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CERT.hr

CERT.hr

CERT.hr is the national authority competent for prevention and protection from computer threats to public information systems in the Republic of Croatia.

Kualitatem

Kualitatem

Kualitatem Inc. is an independent software testing and information systems auditing company

Rubicon Workflow Solutions

Rubicon Workflow Solutions

Rubicon is a leading provider of managed IT support and strategic services, specialising in creative and mixed platform environments.

Virsec Systems

Virsec Systems

Virsec detects and remediates previously “indefensible” advanced memory-based attacks on critical applications and server endpoints.

Volexity

Volexity

Volexity is a leading provider of threat intelligence and incident suppression services and solutions.

TeskaLabs

TeskaLabs

TeskaLabs is a software vendor of cybersecurity and data privacy products.

CYBAVO

CYBAVO

CYBAVO is a cryptocurrency security company founded by experts from the cryptocurrency and security industries.

CoursesOnline

CoursesOnline

CoursesOnline.co.uk is a database listing IT security courses from providers across the UK.

Intersistemi Italia

Intersistemi Italia

Intersistemi is a leading Italian company in the field of information technology integration and digital transformation including cybersecurity.

Cyber Defense Networking Solutions (CDNS)

Cyber Defense Networking Solutions (CDNS)

CDNS is a global network infrastructure provider whose platforms are engineered for security, optimized for speed and designed for resiliency.

link22

link22

link22 offers a high level of expertise within IT security and system solutions. We help public and private actors with highly secure IT-solutions.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

iNovex

iNovex

iNovex is a community of innovators that work together to solve hard problems. We partner with you to meet problems head-on and push boundaries with technology solutions.

Reaktr.ai

Reaktr.ai

Reaktr.ai is founded on the vision of using AI as a catalyst to propel industries into a future where we redefine what's possible. Fortify your cybersecurity defense with our AI-powered platform.

Backslash Security

Backslash Security

With Backslash, AppSec teams gain visibility into critical risks in their apps based on reachability and exploitability.

Hilltop Technologies

Hilltop Technologies

Hilltop Technologies is a cybersecurity company specialized in managed security services and consulting tailored for all sectors from higher education to publicly traded companies.