Ransomware Used Against Albania Linked To Iran

The recent cyber attacks that disrupted government systems in NATO member Albania have been linked to Iran. The hackers who carried out  cyber attacks on Albanian government websites were acting in response to the Iranian opposition group Mojahedin-e Khalq’s appearance at a conference in of Iranian dissidents in the Albanian city of Durres.  Forensic analysis of these attacks by researchers at Mandiant has revealed a new types of ransomware being used. 

Mandiant found the ransomware after it had been uploaded from Albania to a public malware repository a few days after the cyber attack was launched and have named it 'Roadsweep'. 

While the researchers could not confirm that the ransomware was indeed used in the attack, the malware encrypts files on compromised systems and then drops a ransom note. Mandiant researchers consider that other NATO members could be targeted in similar operations.

They also detected a website and Telegram channel named ‘HomeLand Justice’, which took credit for a ransomware operation aimed at the Albanian government. The site implied that a group of Albanian citizens unhappy with their government were responsible. 

However, on closer examination, this group appears to be an Iranian organisation designated as a terrorist group by the US State Department.

Following a thorough investigation, the researchers were able to determine that the Roadsweep ransomware shared code with a back door named Chimneysweep that allows its operators to take screenshots, log keystrokes and steal files. It was uploaded to a public malware repository along with a sample of a wiper malware that Mandiant has named 'Zeroclear'. 

While Mandiant was unable to confirm that this malware was used in this operation, Zeroclear was previously used by Iran-linked threat actors for disruptive activities in the Middle East

Albania's experience highlights the vulnerability of national IT infrastructure without adequate resilience. "The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups' conference was set to take place would be a notably brazen operation by Iran-nexus threat actors," the researchers said.

Mandiant:    I-HLS:     Cyberscoop:   The Register:   Hacker News:     Security Week:      Industrial Cyber

You Might Also Read:

Israeli Government Websites Knocked Offline:

 

« Lazarus Targets FinTech Engineers With MacOS Malware
Technology To Combat Human Trafficking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Zentek Digital Investigations

Zentek Digital Investigations

Zentek has been providing digital forensics services to the public and private sector for computers and mobile devices since 2004.

BakerHostetler

BakerHostetler

BakerHostetler is one of the largest law firms in the USA We have five core practice groups including a specialty practice team in Privacy and Data Protection.

Cyanre

Cyanre

Cyanre delivers state of the art cyber forensic services through software technologies and procedures that exceed conformities of major law enforcement agencies across the globe.

Trusted Knight

Trusted Knight

Trusted Knight is a leading provider of security software solutions focused on defeating newly developed malware and crimeware trojans.

MBL Technologies

MBL Technologies

MBL Technologies specializes in information assurance, enterprise security, privacy, and program/project management.

Sonda

Sonda

SONDA is the leading systems integrator and IT service provider in Latin America.

iosiro

iosiro

iosiro was created to guide companies through securely using blockchain technologies. We help teams launch and manage ICOs, deploy secure dApps, and integrate private networks into business practices.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

K2 Cyber Security

K2 Cyber Security

K2 Cyber Security delivers the Next Generation Application Workload Protection Platform to secure web applications and container workloads against sophisticated attacks.

QNu Labs

QNu Labs

QNu Labs’s quantum-safe cryptography products and solutions assure unconditional security of critical data on the internet and cloud across all industry verticals, globally.

Quantum Armor

Quantum Armor

Quantum Armor is a next-gen cyber security monitoring platform that allows you to continuously stay aware of your security posture, and proactively spot trends, vulnerabilities and potential attacks.

NorthStar

NorthStar

NorthStar provide the visibility needed to track and reduce risk through risk-based vulnerability management and vulnerability exploit prediction.

Turk Telekom

Turk Telekom

Turk Telekom is the first integrated telecommunications operator in Turkey.

Plerion

Plerion

Plerion is an all-in-one Cloud Security Platform that supports workloads across AWS, Azure, and GCP delivering cloud security posture management, workload security, data security and more.

Netcraft

Netcraft

Netcraft is a global leader in cybercrime detection and disruption, combining cutting-edge technology with decades of experience to protect organizations of all sizes from digital threats and attacks.

appNovi

appNovi

appNovi inventories everything to map the attack surface, identify missing security agents, and prioritize vulnerabilities based on exposure.

Dedagroup (Deda)

Dedagroup (Deda)

Dedagroup provide application solutions and IT services to bring innovation at the core of business processes.

AppSOC

AppSOC

AppSOC is a leader in Application Security Posture Management (ASPM) and Code-to-Cloud Vulnerability Management.