In Albania’s capital city Tirana, all staff of the Iranian embassy, including diplomatic and security personnel, were ordered to leave the country within 24 hours on September 7, 2022.
The government’s decision to cut diplomatic ties with Iran follows a July 15 ransomware attack that temporarily shut down numerous Albanian government digital services and websites, Albanian Prime Minister Edi Rama said in a video statement.
“This is possibly the strongest public response to a cyber-attack we have ever seen,” commented John Hultquist, vice-president of US cybersecurity firm Mandiant.
After working with Microsoft and the FBI in an investigation into the cyber-attack, Tirana concluded that the cyber-attack was “state aggression."
Prime Minister of Albania @ediramaal announces the severing of all diplomatic ties with Iran and announces that Iran’s diplomats must depart the country within 24 hours as a response to an Iranian cyber-attack on Albanian government systems. pic.twitter.com/4aibJdal2U
— Mohammed Alyahya محمد اليحيى (@7yhy) September 7, 2022
“The deep investigation put at our disposal undeniable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran, which had involved four groups for the attack on Albania,” Rama said.
Albania’s Decision Was “Based on Such Baseless Claims”, Responded Iran
A few hours later, an Iranian Foreign Ministry spokesperson denied the link with the attack and condemned the move by Albania, saying it is “based on such baseless claims to be an ill-considered and short-sighted action in international relations."
However, Albania’s conclusions converge with public evidence that Mandiant found in August, leading them to express “moderate confidence” that the attackers were acting in support of Tehran’s anti-dissident efforts.
"We were able to find in public repositories, including in a Telegram channel and on VirusTotal, some shared code proprietary to fake ransomware – as there was no financial motivation – that appear to have gone back almost a decade targeting the MEK,” Benjamin Read, Mandiant’s senior manager for cyber espionage analysis, told Infosecurity Magazine.
Attack Claimed by Iran-Linked Group HomeLand Justice
A group calling itself ‘HomeLand Justice’ claimed credit for the cyber-attack in a Telegram channel.
Albania, a NATO member since 2009, shelters about 3000 members of the Iranian opposition group Mujahedeen-e-Khalq (MEK), who live at Ashraf 3 camp in Manez, which is 30 kilometers (19 miles) west of Albania’s capital, Tirana.
In July, the Albania-based Iranian dissidents had planned to hold the Free Iran World Summit at the camp before eventually canceling the event, Associated Press reported.
⚠️ Confirmed: #Albania's National Agency for Information Society (AKSHI) network has been temporarily shut down to counter a major cyberattack; real-time network data show service cut for hours beginning Saturday night, impacting online government services 📉 pic.twitter.com/jkqCi8deaS
— NetBlocks (@netblocks) July 17, 2022
In that Telegram channel, investigators found documents purported to be Albanian residence permits of MEK members and a video of the ransomware being activated.
Rama accused Tehran of recruiting one of the most notorious international cyber-attack terror groups involved in “similar attacks on Israel, Saudi Arabia, United Arab Emirates, Jordan, Kuwait and Cyprus.” He said Tirana had shared the data and the investigation results with strategic partners and NATO countries.
In a statement, US National Security Council spokesperson Adrienne Watson supported the move by Albania. “The United States strongly condemns Iran’s cyberattack. We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident.”
The UK also condemned Tehran for the attack. “Iran’s reckless actions showed a blatant disregard for the Albanian people, severely restricting their ability to access essential public services,” UK Foreign Secretary James Cleverly said.
This attack is “a reminder that while the most aggressive Iranian cyber activity is generally focused in the Middle East region, it is by no means limited to it," said Mandiant’s Hultquist. It shows, as well as an earlier Russia-linked cyber-attack on Montenegro, how “critical government systems in NATO countries are vulnerable and under attack.”
“As negotiations surrounding the Iran nuclear deal continue to stall, this activity indicates Iran may feel less restraint in conducting cyber network attack operations going forward,” Hultquist added.
Albania expelled four Iranian diplomats for “threatening national security” in 2020 and 2018.