According to a new report released by the FBI and Cybersecurity and Infrastructure Security Agency (CISA), Iranian hackers were able to remain undetected inside an Albanian government network for 14 months. At the end of this time period, the hackers deployed destructive malware. The hack resulted in Albania severing diplomatic ties with Iran, marking the first time a cyber incident has lead to such a severe political outcome. The malware was reportedly deployed in July of this year after initial access was gained by exploiting a remote code execution bug in SharePoint.
The vulnerability that was exploited was flagged by the UK’s National Cyber Security Centre in October 2020. The group behind the attack has been identified as the state-sponsored hacking group HomeLand Justice. Just days after gaining network access, the attackers move to establish persistence and more laterally. Between one and two months after the network was breached, the group began to look for an admin account to compromise. After 14 months, the group deployed a ransomware-style file encryptor and disk-wiping malware. The attack itself may have been a response to Albania’s protection of an Iranian opposition group known as Mujahideen-e-Khalq.