Microsoft: Iranian hackers breached Albanian government more than a year before main hack
Investigation reveals how long Iran spent inside government systems and how little damage it actually did


An investigation into the hack on Albania's government has revealed the Iranian state-sponsored hackers responsible initially gained access to systems more than a year before the attack ended.
The hacking group that has been widely attributed to Iranian sponsorship by several organisations such as Microsoft, as well as the UK and US, is believed to have initially gained access in May 2021, 13 months before the 15 July 2022 hack that was widely reported this week.
It is believed the hackers gained initial access to the victim system by exploiting a vulnerability in a then-two-year-old unpatched Microsoft SharePoint server (CVE-2019-0604), before cementing access two months later through a misconfigured service.
Microsoft’s technical report on the hack was published this week and made several revelations about the incident, which it was brought in to investigate by the Albanian government.
In addition to the evidence of hackers being entrenched in Albania’s systems for longer than a year, Microsoft also found evidence of email data being exfiltrated as early as October 2021 and this persisted until January 2022.
Exchange logs also revealed the same Iran-linked hackers exfiltrated data from other victims between November 2021 and May 2022 that were consistent with Iran’s past interests, Microsoft said, such as Jordan, Kuwait, and UAE, among others.
The results of the investigation published this week showed how the main hack announced this week, which caused Albania to sever diplomatic ties with Iran, was just the climax of a year-long espionage campaign against it and other targets.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Microsoft was also able to reveal that the attack consisted of four phases with each phase being assigned to a different state-sponsored hacking group.
One group was tasked with probing the victim's infrastructure and another for the exfiltration. A third actor was required to gain the initial access and complete some data theft, and a fourth group was tasked with deploying the ransomware and wiper malware payloads.
The data exfiltration was carried out, at least in part, with the Jason tool - an offensive security tool that’s consistent with activity from Iran-linked groups of the past, such as APT34.
RELATED RESOURCE
An EDR buyer's guide
How to pick the best endpoint detection and response solution for your business
The methods used in the climax of the attack were consistent with previous activity of Iran-linked state-sponsored hackers, too. Microsoft said ransomware was deployed on the victim’s system and then a wiper malware was used after that.
The increased use of wiper malware was among the most popular predictions of cyber security experts at the start of the year.
Speaking to IT Pro in January, Maya Horowitz, director of threat intelligence and research products at Check Point, predicted the increased use of wiper malware and it being especially popular among hacktivists.
The use of wipers has also been observed in the cyber war between Russia and Ukraine - Russia deployed such malware against Ukraine in the early stages of the conflict before stopping seemingly abruptly.
Microsoft said that despite the year-long campaign, the final stage of the attack - the deployment of ransomware and wiper malware - was ‘largely unsuccessful’ since the “attempt at destruction had less than a 10% total impact on the customer environment”.
The hackers went to great lengths to establish themselves in the Albanian government’s systems. Activity included exploitation of vulnerabilities to establish persistence, reconnaissance, credential harvesting, and evasive manoeuvres such as disabling security products.
Why did Iran hack Albania?
The messaging throughout the attack, combined with the target selection and the binaries signed with Iran-linked digital certificates helped to indicate that the culprit of the campaign was Iran.
The ransom note displayed on the Albanian systems made implications that the target of the attack was the Mujahedin-e Khalq (MEK) - the main political opposition in Iran that has been exiled to Albania.
The ransom note also depicted the symbol of the Predatory Sparrow hacking group which is believed to be responsible for several cyber attacks against Iran state-linked targets dating back to 2021.
Such incidents involved Iran’s transport network, its manufacturing companies, and payment systems which ultimately closed petrol stations around the country.
The MEK is believed to be affiliated with the Predatory Sparrow hacking group and most recently it was thought to be behind the attack on the Tehran municipality’s security cameras and the defacement of its website, according to local media.
Iran’s attack on 15 July, revealed earlier this week, followed a string of cyber attacks on Iran and one week before the planned MEK’s ‘Free Iran World Summit’ which was cancelled this year following fears of terrorist targeting.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
How to implement a four-day week in tech
In-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businesses
In-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs