Ransomware Used Against Albania Linked To Iran

The recent cyber attacks that disrupted government systems in NATO member Albania have been linked to Iran. The hackers who carried out  cyber attacks on Albanian government websites were acting in response to the Iranian opposition group Mojahedin-e Khalq’s appearance at a conference in of Iranian dissidents in the Albanian city of Durres.  Forensic analysis of these attacks by researchers at Mandiant has revealed a new types of ransomware being used. 

Mandiant found the ransomware after it had been uploaded from Albania to a public malware repository a few days after the cyber attack was launched and have named it 'Roadsweep'. 

While the researchers could not confirm that the ransomware was indeed used in the attack, the malware encrypts files on compromised systems and then drops a ransom note. Mandiant researchers consider that other NATO members could be targeted in similar operations.

They also detected a website and Telegram channel named ‘HomeLand Justice’, which took credit for a ransomware operation aimed at the Albanian government. The site implied that a group of Albanian citizens unhappy with their government were responsible. 

However, on closer examination, this group appears to be an Iranian organisation designated as a terrorist group by the US State Department.

Following a thorough investigation, the researchers were able to determine that the Roadsweep ransomware shared code with a back door named Chimneysweep that allows its operators to take screenshots, log keystrokes and steal files. It was uploaded to a public malware repository along with a sample of a wiper malware that Mandiant has named 'Zeroclear'. 

While Mandiant was unable to confirm that this malware was used in this operation, Zeroclear was previously used by Iran-linked threat actors for disruptive activities in the Middle East

Albania's experience highlights the vulnerability of national IT infrastructure without adequate resilience. "The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups' conference was set to take place would be a notably brazen operation by Iran-nexus threat actors," the researchers said.

Mandiant:    I-HLS:     Cyberscoop:   The Register:   Hacker News:     Security Week:      Industrial Cyber

You Might Also Read:

Israeli Government Websites Knocked Offline:

 

« Lazarus Targets FinTech Engineers With MacOS Malware
Technology To Combat Human Trafficking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

Clusit

Clusit

Clusit is the Italian Association for Information Security, a nonprofit organization devoted to promoting every aspect of information security.

Apicrypt

Apicrypt

Apicrypt enables secure communications between health professionals by using strong encryption technologies.

Pole SCS (Secure Communicating Solutions)

Pole SCS (Secure Communicating Solutions)

SCS is a world-class competitiveness cluster dedicated to digital technologies in the fields of Microelectronics, Internet Of Things, Digital Security, Artificial Intelligence And Big Data.

Graphus

Graphus

Graphus provides a simple, powerful, automated solution that eliminates 99% of social engineering and spear phishing attacks against G Suite business Gmail users.

Somansa

Somansa

Somansa is a global leader in Data Security and Compliance solutions designed to protect valuable company information from leakage and help meet regulatory compliance requirements.

SynerComm

SynerComm

SynerComm is an IT solution provider specializing in network and security infrastructure, enterprise mobility, remote access, wireless solutions, audit, pentesting and information assurance.

Cellopoint

Cellopoint

Cellopoint is a leading manufacturer of information security and email lifecycle management (ELM) products.

Intuity

Intuity

The Intuity suite of services provides companies with a complete awareness of their security status and helps them in an efficient, efficient and sustainable improvement process.

Hub71

Hub71

Hub71 is a world-class tech ecosystem opening doors to global opportunities from an optimal business environment for entrepreneurial-minded innovators.

Acumera

Acumera

Acumera is a leader in managed network security, visibility and automation services.

Crayon

Crayon

Crayon is a customer-centric innovation and IT services company. We provide guidance on the best solutions for our clients’ business needs and budget with software, cloud, AI and big data.

AHAD

AHAD

AHAD provides cybersecurity, digital transformation, and risk management services and solutions to Government, Fortune 500, And Start-Up Companies in the Middle East region.

Elastio

Elastio

Elastio's cloud-native platform safeguards cloud data from the risks posed by ransomware, application failures and storage security vulnerabilities.

Cytacs

Cytacs

Cytacs is the AI-powered cyber security platform specifically designed for small and medium-scale enterprises.

EpicCyber

EpicCyber

Since 2011, Epic Cyber has pioneered the integration of enterprise cloud technology.