A massive hack led to the expulsion of Iranian diplomats—but Tehran may have had help from Moscow.
When the street housing the Russian Embassy in the Albanian capital, Tirana, was renamed “Free Ukraine,” the Russians decided to move. They methodically dismantled the cameras outside the building, removing communications antennas, and lowered the flag.
The Iranians, however, did not have the luxury of time. After the Islamic Republic was held responsible for cyberattacks on the Albanian government, in a televised address on Sept. 7, 2022, Prime Minister Edi Rama gave Tehran’s diplomats just 24 hours to leave the country.
As night fell, witnesses saw staff burning documents in a metal barrel on the Iranian Embassy grounds as part of a swift, crude, and desperate evacuation before armed Albanian Police special operations forces entered with dogs normally used to find explosives.
It was unprecedented severing of diplomatic ties over alleged cyberattacks, even if Iran had a clear motivation. Investigators believe that Albania was targeted in retaliation for its sheltering of thousands of members of Mujahedin-e-Khalq (MEK), a once violent cult-like Iranian opposition group residing in a fortified camp in Manëz, Albania, after being evacuated from Iraq in 2016.
The still-intact surveillance equipment left near the Iranian Embassy’s gate are a monument to the fact that hostile eyes are still on Albania, and that Albania, a NATO member, remains under attack by malign foreign actors seeking to damage one of the most vulnerable members of the military alliance.
“It is still a dirty cyberwar going on,” Rama told Foreign Policy in his office in Tirana in January, its walls covered with the artist prime minister’s futuristic doodles. “It is the nature of the cyberwar to have all the time to have this kind of back and forth,” he said over the chirps of the exotic birds he keeps outside his door.
Albania is suffering in the face of continuing cyberattacks, digitally devastating the country’s critical computerized public and private infrastructure. Hackers gained continuous access to Albanian government servers in 2021, according to the U.S. Federal Bureau of Investigation (FBI), harvesting data, before using ransomware and launching a destructive “wiper” attack destroying public data using disk wiping malware in July 2022.
They also shut down government websites using messaged ransomware, disrupting public services, which was catastrophic for Albanian public services that had been digitized to circumvent slow and corrupt bureaucratic public processes. As the vast majority of government services had been brought online, all aspects of the lives of Albanian citizens, from births to marriages to deaths, were thrown into disarray.
Hackers, too, gathered, deleted, and circulated classified information including the identities of hundreds of undercover Albanian intelligence officers, published the emails of the director of intelligence, and continue to leak sensitive information through a website and Telegram channels, hampering the government’s ability to govern. The information included more than 17 years’ worth of data tracking everyone who entered and exited the country from the government’s Total Information Management System (TIMS), as well as from private institutions such as bank customer financial records. “It was very, very severe,” Rama said regarding the impact of the attacks.
Iranian state actors have been blamed for the most conspicuous cyber operations carried out last year, with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, private companies Microsoft and Mandiant, and the U.K. National Cyber Security Centre all naming Iran as the sole perpetrator in their reports.
Rama is fully aware that Albania’s decision to allow the MEK, the Iranian regime’s largest external organized opposition faction, to create a base from which they have been able to establish themselves as a prospective government in exile was a controversial one. The group has carried out political activities, holding annual summits (the July cyberattack took place before a planned MEK conference) and hosting foreign dignitaries, including Mike Pompeo and Mike Pence. Still, Rama defends the move.
“They were massacred by raids of Iranian secret service [in Iraq] and then our American friends asked us if we could open our door,” the prime minister said. “We honored our tradition of sheltering people. It is a long tradition in Albania. It is what made Albania the only country in Europe to have more Jews after the Second World War than before,” he said, with the enduring charm that led him to win three democratic elections, despite numerous scandals.
Aggression is a signature of Iranian cyber operations, according to cyber experts. The Chinese are interested in espionage, the Russians, influence, and Iranian aggression. And the attacks on Albanian internet infrastructure are perhaps the most aggressive on a state in peacetime in history.
“With the exception of the attacks on the Ukrainian government, post-invasion, which obviously are happening in the context of shitloads of bombs getting dropped on Ukraine…this one is notable because it is an attack directly on a government,” said Benjamin Read of Mandiant, which was brought in to investigate the attacks. “So that is really the distinguishing feature here a full-frontal attack on a government that you are not at war with,” he said.
For some, the size, scope, and sophistication and aggressive nature of the Albanian attacks, plus the ransomware operations from cybercriminal groups operating from Russian territory, mean that Iran was not acting alone. “I think It is a collaboration between Russian and Iran,” said Gentian Progni, a digital entrepreneur and self-described “whistleblower” based in Tirana, “because the range of the attacks were too big.”
Progni, who learned how to code as a child while housebound during a family blood feud that he cannot elaborate on for fear of reigniting it, points out that the leaked information from the hacks was disseminated from a Russian website, justicehomeland.ru, which Russian authorities have yet to take down, and through Telegram channels also used to spread pro-Russian propaganda.
He also notes that during the same time period Albania was attacked, other attacks were carried out throughout southeastern Europe against Montenegro, Bulgaria, Kosovo, and North Macedonia during the same period by Russian-speaking groups.
The most recent high-profile attacks were carried out against Air Albania, the country’s national airline carrier, by the LockBit group, a notorious cybercriminal gang operating from Russian territory, with Russian-speaking members. It does not attack entities or states within the Russian-dominated Commonwealth of Independent States, according to Tim Mitchell, an expert on LockBit at SecureWorks, a U.S. cybersecurity company.
Last November, A 33-year-old Russian and Canadian national was charged with participating in the LockBit global ransomware campaign and is awaiting extradition to the United States. LockBit also made headlines last month for an attack on Royal Mail, Britain’s primary postal and parcel firm, forcing it to shut down all international mail and parcel deliveries.
North Macedonia’s attack was linked to the BlackByte group, which avoids attacking Russia-based entities. Progni shared with Foreign Policy a screenshot showing numerous Russian IP addresses used for the Kosovo attacks. “So basically, Russia and Iran attacked Albania,” he said.
“Listen, I know that it is very politically correct to blame Russia for everything nowadays, but I think they have enough blame on them,” Rama said. “In this case, no there is no Russian participation, because the [FBI] investigation did not show any.”
Yet both Rama and the FBI have come under fire in Albania following a recent scandal in which the Albanian government is accused of bribing a former FBI official to push for FBI investigations into areas that damaged the Albanian opposition.
“Domestic law enforcement agencies in Albania…have viewed the FBI in this case as institutionally weak, politically exploitable, and even suspected of involvement in corrupt affairs and influence, trafficking for the benefit of powerful individuals in third countries,” said Zef Preci, director of the Center for Economic Research, a nongovernmental organization in Albania.
The FBI declined to comment for this article.
Even if the number of attackers involved in targeting Albania remains unclear, the Russian and Iranian partnership is undeniably close in the battlespace of Ukraine, where Tehran has fast become Moscow’s major military backer in the war, most notably with its supply of lethal kamikaze drones that have devastated Ukrainian infrastructure. In a December briefing, White House National Security Council coordinator John Kirby said, “Russia is offering Iran an unprecedented level of military and technical support that is transforming their relationship into a full-fledged defense partnership.”
Source: Foreign Policy
