State-backed Iranian threat actors were able to remain undetected inside an Albanian government network for 14 months before deploying destructive malware in July 2022, a new report has revealed.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released the joint alert to shed more light on the campaign, which resulted in Albania severing diplomatic ties with Iran – the first time a cyber-incident has led to such an outcome.
Identifying the attack group as the state-sponsored ‘HomeLand Justice,’ the report claimed that initial access was achieved by exploitation of CVE-2019-0604, a remote code execution bug in SharePoint. The vulnerability, which has a CVSS score of 8.6, was flagged by the UK’s National Cyber Security Centre (NCSC) in October 2020.
A few days after gaining network access, the threat actors proceeded to a persistence and lateral movement phase, using several .aspx webshells for persistence and RDP, SMB and FTP for lateral movement.
Between one and six months after initial access they compromised a Microsoft Exchange account and began probing for an admin account, the report claimed.
The US authorities claimed HomeLand Justice managed to exfiltrate significant volumes of email data. The group also managed to compromise two victim VPN accounts.
Finally, 14 months after the start of the operation they deployed a ransomware-style file encryptor and disk-wiping malware.
The campaign itself seems to have been a response to Albania’s sheltering of Iranian opposition group Mujahideen-e-Khalq (MEK). After Albania cut diplomatic ties with Iran in September 2022, the attackers used similar tactics to launch another wave of attacks, this time impacting border control systems.
In this case, attribution seems to have been pretty straightforward. HomeLand Justice claimed credit for the campaign, posting videos of the attack on its website and leaking information that it had stolen, according to CISA.
The incident is another reminder of the need for effective detection and response tooling to minimize attacker dwell-time, which globally stands at a median of 21 days.
“Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks,” noted the report.
“In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen-e-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.”