A July cyber attack that has been attributed to Iran has caused Albania to cut all diplomatic ties with that country, setting what the White House National Security Council calls a “troubling precedent for cyberspace.”
This is the first time a nation has severed diplomatic ties due to a cyber attack. The July 15 incident damaged critical infrastructure in Albania and shut down several government websites, leading to a call for assistance from NATO partners. Iran’s diplomats have been removed from the country and the embassy has been closed, with Albanian police finding little more than documents burned in a barrel there after the last of the personnel had left.
Albania foregoes diplomatic ties with Iran after severely damaging cyber attack
Prime Minister Edi Rama ended diplomatic ties with Iran in a video statement on September 7, citing the July cyber attack and requiring the country’s embassy staff to leave within 24 hours. Rama acknowledged that it was an “extreme response” but said that it was necessary given the damage done (and further risk to) public services and state records.
The announcement followed a weeks-long investigation by the United States, which determined that four threat groups hired by the Iranian government were behind the cyber attack. Cybersecurity firm Mandiant noted that the campaign was primarily targeted at Iranian dissidents that had fled to the country and involved malicious data wiping rather than theft. The attack is believed to have involved a modified version of ransomware meant to do damage, which may have spread beyond the intended targets.
The conflict dates back to 2014, when members of the People’s Mujahideen Organization of Iran, the largest opposition political group in the country, were exiled and about 3,000 were allowed to settle in Albania. Albania has previously cut diplomatic ties in 2018, expelling the ambassador amidst accusations of terrorist attacks being plotted during a FIFA World Cup qualifier. Iran has since consistently implied that Albania was working against it toward regime change under pressure from the US and Israel.
For its part, Iran has denied responsibility for the cyber attack despite reports from the FBI and Microsoft’s security team to the contrary. Albania formally joined NATO in 2009 but has been part of the Euro-Atlantic Partnership Council since it first assembled in the early 1990s and has had diplomatic ties with the US since shortly after it established a democratic government.
Mandiant said that the cyber attack was primarily directed at dissidents in Albania, and the Albanian government said that it had caught Iranian agents making several previous attempts against the dissidents. US investigators sent to the country called the cyber attack “reckless and irresponsible” as well as “unprecedented” due to the damage to critical infrastructure it did during a peacetime period between the nations.
Cyber attack causes damage to public services
The attack shut down several government websites and Albania claims that the hackers made attempts on public services, but that everything had been restored and that there was no permanent data loss. The US National Security Council added that there were subsequent “hack and leak operations.” This appeared to include the dissemination of scans of dissident residence permits on a Telegram channel, as well as the discovery of a piece of ransomware that included a message indicating that the dissidents were being targeted.
The Albanian government said that the cyber attack bore similarities to other incidents involving NATO members in the past year; these include Belgium, Germany, Lithuania and the Netherlands. One of the groups that Iran reportedly contracted for the attack has been linked to prior attacks on Israel, Saudi Arabia, United Arab Emirates and a number of other Middle Eastern countries.
In addition to the damage caused, the attack forced the dissidents to cancel the planned Free Iran World Summit, which had been scheduled to be held in Manëz in July and was slated to have US lawmakers in attendance. The US strongly condemned the attack. The US and Iran have longtime unresolved tensions, but things escalated in 2019 with a US military buildup in the Persian Gulf after several merchant ships were allegedly damaged by Iran and again in 2020 with a targeted strike on military commander Qasem Soleimani that was followed by an Iran missile attack on Iraqi bases housing US troops. The US placed Iran under new sanctions, and more merchant ship attacks occurred in the summer of 2021.
Mandiant has advised that Iran is likely to attempt to disrupt or interfere with the upcoming US midterm elections. Iran has been accused of attempting to interfere in the 2020 election, and president Joe Biden has previously said that the country should “pay a price” for these attempts. The two countries have had no formal diplomatic ties since 1980.
Mandiant’s technical analysis of the cyber attack found that a new piece of data wiping malware (a “Zeroclear” variant) and a new form of backdoor malware (“Chimneysweep”) were deployed along with ransomware from the “Roadsweep” family.