CyberWire Daily - CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania. [CISA Cybersecurity Alerts]
Episode Date: September 22, 2022In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailabl...e. An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. AA22-264A Alert, Technical Details, and Mitigations CISA’s free Cyber Hygiene Services (CyHy) CISA’s zero–trust principles and architecture. Iran Cyber Threat Overview and Advisories. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 21st, 2022.
In July 2022, Iranian state cyber actors, identifying as Homeland Justice, launched a approximately 14 months before launching the destructive cyber attack, which included a ransomware-style filing cryptor and disk-wiping malware.
The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating email content.
Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks.
In July 2022, the actors launched ransomware on the networks.
When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of zero clear destructive malware.
of zero clear destructive malware.
In June 2022,
Homeland Justice created a website and multiple social media profiles
posting anti-MEK messages.
Between July and August 2022,
Homeland Justice claimed credit
for the cyber attack
on Albanian government infrastructure,
posted videos of the cyber attack
on their website,
and social media accounts
associated with Homeland Justice
demonstrated a repeated pattern
of advertising
Albanian government information for release.
Most recently, Iranian cyber actors launched another wave of cyber attacks
against the government of Albania,
using similar TTPs and malware as the cyber attacks in July.
These were likely done in retaliation for public attribution
of the cyber attacks in July
and severed diplomatic ties between Albania and Iran.
Visit the alert documentation linked in the show notes
for additional information on recent cyber operations
against the government of Albania,
including relevant TTPs, IOCs, and malware signatures
used by the Iranian cyber actors,
and recommended mitigation actions
for anyone targeted by these threat actors.
All organizations should report incidents
and anomalous activity to
CISA's 24-7 Operations Center at central at cisa.dhs.gov or 888-282-0870 and to the FBI via
your local FBI field office or the FBI's 24-7 at CyWatch at 855-292-3937 or cywatch at fbi.gov.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report, which may include additional details, links, and illustrations.
A link to this report can be found in the show notes.
can be found in the show notes.
This has been a CISA Cybersecurity Alert.