Microsoft: Iranian hackers attacked the Albanian government more than a year before the main hack


An investigation into the Albanian government hack found that the responsible Iranian state-sponsored hackers gained access to systems more than a year before the end of the attack.

The hacking group, widely credited with Iranian support by several organizations including Microsoft as well as the UK and US, is believed to have gained access in May 2021, 13 months before the widely reported July 15, 2022 hack that week .

It is believed that the hackers first gained access to the victim’s system by exploiting a vulnerability in a then two-year-old unpatched Microsoft SharePoint server (CVE-2019-0604), before gaining access two months later cemented by a misconfigured service.

Microsoft’s technical report on the hack was released this week and contained several revelations about the incident that were being investigated by the Albanian government.

In addition to evidence that hackers had been entrenched in Albania’s systems for more than a year, Microsoft also found evidence that email data was exfiltrated as early as October 2021 and continued until January 2022.

Exchange logs also revealed that the same Iran-linked hackers exfiltrated data from other victims between November 2021 and May 2022 that matched Iran’s past interests, Microsoft said, such as Jordan, Kuwait and the United Arab Emirates, among others.

Findings from the investigation released this week showed that the major hack announced this week that led to Albania cutting diplomatic ties with Iran was just the culmination of a year-long spying campaign against him and other targets.

Microsoft was also able to reveal that the attack consisted of four phases, with each phase associated with a different state-sponsored hacking group.

One group was tasked with investigating the victim’s infrastructure and another with exfiltration. A third actor was required to gain initial access and complete some data thefts, and a fourth group was tasked with delivering the ransomware and wiper malware payloads.

The data exfiltration was performed, at least in part, using the Jason tool – an offensive security tool consistent with activities by past Iran-affiliated groups such as APT34.

The methods used at the height of the attack were also consistent with previous activities by state-sponsored hackers linked to Iran. According to Microsoft, ransomware was deployed on the victim’s system and then a wiper malware was used.

Increased use of wiper malware was one of the most popular predictions from cyber security experts earlier this year.

Speak with IT professional in January, Maya Horowitz, director of threat intelligence and research products at Check Point, predicted the growing use of wiper malware and that it would be particularly popular with hacktivists.

The use of wipers has also been observed in the cyber war between Russia and Ukraine – Russia used such malware against Ukraine in the early stages of the conflict before seemingly stopping abruptly.

Microsoft said that despite the year-long campaign, the final phase of the attack — deploying ransomware and wiper malware — was “largely unsuccessful” as the “overall attempted wipe had less than 10% impact on the customer environment.”

The hackers have gone to great lengths to infiltrate into the Albanian government’s systems. Activities included exploiting vulnerabilities to establish persistence, reconnaissance, credential harvesting, and evasive maneuvers such as disabling security products.

Why did Iran hack Albania?

Message delivery during the attack, combined with target selection and binaries signed with digital certificates linked to Iran, helped suggest that the culprit of the campaign was Iran.

The ransom note displayed on Albanian systems indicated that the target of the attack was the Mujahedin-e Khalq (MEK) – the main political opposition in Iran, who was exiled to Albania.

The ransom note also featured the symbol of the hacking group Predatory Sparrow, believed to be responsible for multiple cyberattacks on Iran-linked targets in 2021.

Such incidents affected Iran’s transportation network, its manufacturing companies and payment systems, which ultimately closed gas stations across the country.

The MEK is believed to be linked to the hacking group Predatory Sparrow and most recently was blamed for attacking Tehran city government’s surveillance cameras and defacing its website, according to local media.

The July 15 Iranian attack, revealed earlier this week, followed a series of cyberattacks on Iran and a week ahead of the MEK’s planned “Free Iran World Summit,” which was canceled this year amid fears of terrorist attacks.

Featured Resources

What is context analysis?

Creation of more customer benefits in HR software applications

Free download

Businesses are improving the way they use data center infrastructure

Dell Technologies offers as-a-service with APEX data storage services

Free download

Can’t decide between public and private cloud? With IaaS, you don’t have to

Enjoy a cloud-like experience with an on-premises infrastructure

Free download

Evaluation of modern enterprise storage

Dell EMC PowerStore is modern enterprise storage purpose-built to meet the needs of our new era

Free download


About Author

Comments are closed.