White House Plans 'Further Action' After Iranian Cyberattack on Albania

Two months after a major cyberattack that took down portions of Albania’s national infrastructure and resulted in sensitive data being leaked, the country’s prime minister has blamed Iran for the intrusion, and the White House is promising “further action to hold Iran accountable”.

In a video message posted Wednesday, Albanian Prime Minister said that the country had “indisputable evidence” that the July 15 attack was the work of Iranian actors and was orchestrated and sponsored by the Iranian government. The attack targeted critical government systems and forced the national government to take government services offline. The intrusion included the deployment of a new strain of ransomware that researchers at Mandiant called Roadsweep, as well as the Zeroclear wiper malware. In early August, Mandian published details on the attack and attributed it to Iranian threat actors.

In his message Wednesday, Prime Minister Edi Rama said the intrusion was the work of four groups working at the direction of the Iranian government. As a result of the attack, Albania has cut off diplomatic relations with Iran and expelled Iran’s diplomats from the country.

“For weeks now, while work has been ongoing 24/7 to restore all damages, thorough investigations have been conducted to identify the aggressor. In cooperation with specialized partner agencies against cyber terrorism, who brought their teams to Tirana, it was confirmed that, first, without a shadow of doubt, the July 15 attack on Albania was not an individual operation or a concerted action by independent criminal groups, but a State-sponsored aggression,” Rama said.

“The in-depth investigation provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression – one of them being a notorious international cyber-terrorist group, which has been a perpetrator or co-perpetrator of earlier cyberattacks targeting Israel, Saudi Arabia, UAE, Jordan, Kuwait and Cyprus.”

Rama said that Albania has shared the technical evidence it has gathered with NATO countries and other allies. Technical experts from the United States government have been in Albania working with the Albanian government’s security team to recover from the attack, and on Wednesday National Security Council spokesperson Adrienne Watson said the U.S. plans more direct action.

“The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” Watson said.

“Iran’s conduct disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public. Albania views impacted government networks as critical infrastructure. Malicious cyber activity by a State that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional, and global effects; pose an elevated risk of harm to the population; and may lead to escalation and conflict.”

"This was a really big impact. They did shut down public services in a sovereign country for a week."

The public response from the White House is unusual, but so was the effect of the intrusion, which took down quuite a few government services and erased some data.

"Deterrence isn’t a binary. People are going to do things, but I do think disruptive attacks aren’t as common as espionage and if you get access for one reason, you could drop a wiper, too. Russia, Iran and others have the capacity to do more wiper attacks than they do now and threy’re not. Why? Is that deterrence? I don't know," said Ben Read, director of intelligence analysis at Mandiant, said.

"This was a really big impact. They did shut down public services in a sovereign country for a week."

In its August report on the attack, Mandiant said that the intrusion was a politically motivated one and was timed to coincide with a conference being held in Albania that would bring together political opponents of the iranian government.

“Mandiant has frequently reported on Iranian threat activity targeting Iranian dissidents and opposition groups abroad by cyber espionage groups such as UNC788 and malware such as SCRAPWOOD, publicly known as MarkiRAT. Additionally, numerous recent lock-and-leak operations by suspected Iran-nexus personas such as Black Shadow and Moses Staff have involved disruptive activity against primarily Israeli organizations in an attempt to embarrass them,” the Mandiant report says.

“The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups’ conference was set to take place would be a notably brazen operation by Iran-nexus threat actors.”

Mandiant's Read said the coordinated actions by the Albanian and U.S. governments is a good sign.

"Seeing everything coming out at once shows that the behind the scenes coordinatiion on cyber is getting better," he said.