It was only a few weeks ago that I was writing about a CISA alert warning about the dangers of Iranian-government-sponsored hackers exploiting Log4J vulnerabilities to strike at varied targets across the globe. I argued that Iran’s actions illustrate what the future of cyber warfare will look like as countries increasingly strike at digital rather than physical targets to exert their influence. Hammering home that point, CISA has already issued another alert cautioning against an entirely different kind of attack perpetrated by Iranian hackers.
With this latest action, Iran has shown both a willingness to use cyber attacks to achieve their geopolitical ambitions, along with ingenuity in their methods. Of course, most countries are jockeying with each other in cyberspace, and labeling any of their motivations as “good” or “bad” probably misunderstands the pugilistic nature of international relations. Other countries are doing what Iran does – and putting even more resources behind the effort. But even with those caveats, it’s hard not to see Iran as a country both willing and able to play the role of cyber supervillain – someone who makes digital space more dangerous for everyone.
To help put that claim in a greater context, let’s take a look at the latest attack.
Attack Autopsy
Starting around May 2021, Iranian state cyber actors calling themselves “Homeland Justice” (with nationalistic flair) infiltrated the network of the Albanian government. They hid inside for the next year, maintaining continuous network access while quietly accessing and exfiltrating email content. The attackers conducted lateral movements, ran network reconnaissance, and began credential harvesting beginning in May 2022. And by the middle of that summer, they had everything they needed to launch a devastating ransomware attack. The Albanian government never stood a chance.
Ransomware was launched on their networks in July 2022, accompanied by a threatening message directed at a group critical of Iran’s Revolutionary Guard with several thousand members living in Albania. While simultaneously stealing and encrypting the data with one attack, the offenders were also wiping raw disk drives using a separate attack in a strategy orchestrated to inflict maximum damage almost immediately. Numerous government digital services and websites were temporarily knocked offline. Unfortunately, that was just the start.
Homeland Justice then created a website and social media profiles taking credit for the attacks and publishing proof. Their goal was not just to gloat. They also release the data, first posting a poll to ask what data people wanted, then releasing videos and zip files with the leading responses. So not only was the Iranian government stealing another country’s data – they were offering it up for anyone else to exploit for whatever purposes they wanted. Twisting the knife even more, Homeland Justice struck the Albanian government again in September 2022 with a similar barrage of ransomware attacks.
Understandably enraged, the Albanian government formally cut diplomatic ties with Iran – the first such response to a cyber attack. The Albanian Foreign Minister Olta Xhacka commented, “The aggressiveness of the attack, the level of attack, and moreover the fact that it was a fully unprovoked attack left no space for any other decision.”
Implications of the Attack
The technical details of the attack – plus the prevention CISA suggests – are worth a closer look, especially since Iran has been willing to attack almost any target anywhere. But in this instance, the mechanics of the attack are less interesting than the motivations behind it and the implications for future attacks.
Iran sponsored this attack ostensibly in response to the anti-government sentiment gaining traction in parts of the population. Cracking down on dissent is nothing new for governments. But doing so by launching a multi-month cyber attack on a small, distant country, bragging about it online, then offering to share the spoils has no historical precedent that I can think of. What effect this will have on the ongoing protest movement in Iran remains to be seen. No matter the outcome, though, Iran has pioneered a new way for states to undermine activist movements, and many will not hesitate to deploy similar tactics to maintain their hold on power.
I’m also struck by how this attack weaves together different tactics and techniques, combining a lengthy infiltration effort with a shock-and-awe ransomware attack followed by online data leaks and a surprise second punch. It’s devious. It’s also a little bizarre in its determination. I’m sure an Iran expert could give some important context into why Iran hit Albania so hard. But when they felt compelled to do so, they had both the means and the certainty of success – how many attacks between nation-states can say the same thing?
What will Iran do next? Even if you don’t agree with my “cyber supervillain” characterization, it’s a question everyone’s wondering. And given recent events, they should probably be worrying about it too.
#iran #cyberattack
