Iran-Backed Hackers Behind Cyberattack On Albanian Government Sites

Former US Secretary of State Mike Pompeo visiting the MEK leader Maryam Rajavi in Albania in May 2022
Former US Secretary of State Mike Pompeo visiting the MEK leader Maryam Rajavi in Albania in May 2022

A leading US cybersecurity firm said Thursday a cyberattack that temporarily shut down numerous Albanian government digital services and websites in mid-July was done by Iran-backed hackers.

Cybersecurity firm Mandiant expressed “moderate confidence” the attackers were acting in support of Tehran’s efforts to disrupt a conference of the exiled Albania-based opposition group Mujahideen-e Khalq (MEK).

In its report, the company said that several factors reveal that the attack was carried out by pro-Iran hackers, including the timing, the content of a social media channel used to claim responsibility, and similarities in software code used with malware long used to target Farsi and Arabic speakers.

On July 18, Mandiant identified a new ransomware family dubbed ROADSWEEP, which drops a politically themed ransom note suggesting it targeted the Albanian government, and a group named “HomeLand Justice” claimed credit for the disruptive activity.

The “HomeLand Justice” posted a video of the ransomware being executed on its website and Telegram channel alongside documents purported to be Albanian residence permits of MEK members.

The July 23-24 conference by the dissident group, titled The Free Iran World Summit, was canceled following warnings from local authorities of a possible terrorist threat. The conference was scheduled to be held at Ashraf 3 camp in Manez -- 30 kilometers (19 miles) west of Albania’s capital, Tirana – where 3,000 MEK members live. Several US lawmakers were also among the invitees.

In July, Iran's Foreign Ministry sanctioned a group of US officials and lawmakers over their alleged support for the MEK group, that Tehran considers a terrorist organization.