A July cyberattack that was attributed to Iran prompted Albania to sever all diplomatic ties with that country, setting what the White House National Security Council calls a “troubling precedent for cyberspace.”
It is the first time that a country has severed diplomatic relations due to a cyberattack. The July 15 incident damaged critical infrastructure in Albania and shut down several government websites, leading to a call for help from NATO partners. Iranian diplomats were expelled from the country and the embassy was closed, with Albanian police finding little more than documents burned in a barrel after the last staff member left.
Albania renounces diplomatic ties with Iran after badly damaged cyberattack
Prime Minister Edi Rama ended diplomatic ties with Iran in a video statement on September 7, citing the July cyberattack and demanding that the country’s embassy staff leave within 24 hours. Rama acknowledged this was an “extreme response”, but said it was necessary given the damage caused (and additional risk to) public services and state archives.
The announcement follows a week-long investigation by the United States, which determined that four threat groups hired by the Iranian government were behind the cyberattack. Cybersecurity firm Mandiant noted that the campaign primarily targeted Iranian dissidents who had fled to the country and involved the malicious erasure of data rather than theft. The attack allegedly involved a modified version of ransomware intended to cause harm, which may have spread beyond the intended targets.
The conflict dates back to 2014, when members of the People’s Mojahedin Organization of Iran, the country’s largest opposition political group, were exiled and around 3,000 were allowed to settle in Albania. Albania already severed diplomatic ties in 2018, expelling the ambassador amid accusations of terror attacks in preparation for a FIFA World Cup qualifier. Iran has since consistently hinted that Albania was working against it for regime change under pressure from the United States and Israel.
For its part, Iran has denied any responsibility for the cyberattack despite reports to the contrary from the FBI and Microsoft’s security team. Albania officially joined NATO in 2009, but has been part of the Euro-Atlantic Partnership Council since its first meeting in the early 1990s and has diplomatic relations with the United States shortly after establishing a democratic government. .
Mandiant said the cyberattack was primarily directed against dissidents in Albania, and the Albanian government said it had caught Iranian operatives making several previous attempts against dissidents. US investigators sent to the country called the cyberattack “reckless and irresponsible” as well as “unprecedented” because of the damage to critical infrastructure it caused in times of peace between nations.
Cyberattack causes damage to public services
The attack shut down several government websites and Albania says the hackers made attempts on public services, but everything was restored and there was no permanent data loss. The US National Security Council added that there were “hack and leak operations” afterward. This appeared to include posting scans of dissident residence permits on a Telegram channel, as well as finding ransomware containing a message that dissidents were being targeted.
The Albanian government says the cyberattack has similarities to other incidents involving NATO members over the past year; these include Belgium, Germany, Lithuania and the Netherlands. One of the groups Iran allegedly contracted for the attack has been linked to previous attacks on Israel, Saudi Arabia, the United Arab Emirates and a number of other countries in the Middle East.
Adding to the damage caused, the attack forced dissidents to cancel the planned Free Iran World Summit, which was to be held in Manëz in July and was to bring together US lawmakers. The United States strongly condemned the attack. The United States and Iran have long-standing unresolved tensions, but things escalated in 2019 with a US military buildup in the Persian Gulf after several merchant ships were reportedly damaged by Iran and again in 2020 with a targeted strike on military commander Qasem Soleimani which was followed by an Iranian missile attack on Iraqi bases housing US troops. The United States placed Iran under new sanctions and further attacks on merchant ships occurred in the summer of 2021.
Mandiant said Iran would likely try to disrupt or interfere with the upcoming US midterm elections. Iran has been accused of trying to interfere in the 2020 election, and President Joe Biden has previously said the country should “pay the price” for those attempts. The two countries have not maintained official diplomatic relations since 1980.
Mandiant’s technical analysis of the cyberattack revealed that new data-wiping malware (a “Zeroclear” variant) and a new form of backdoor malware (“Chimneysweep”) were deployed along with ransomware of the “Roadsweep” family.