Microsoft: Iranian hackers breached Albanian government more than a year before main hack

An investigation into the hack on Albania's government has revealed the Iranian state-sponsored hackers responsible initially gained access to systems more than a year before the attack ended.

The hacking group that has been widely attributed to Iranian sponsorship by several organisations such as Microsoft, as well as the UK and US, is believed to have initially gained access in May 2021, 13 months before the 15 July 2022 hack that was widely reported this week.

It is believed the hackers gained initial access to the victim system by exploiting a vulnerability in a then-two-year-old unpatched Microsoft SharePoint server (CVE-2019-0604), before cementing access two months later through a misconfigured service.

Microsoft’s technical report on the hack was published this week and made several revelations about the incident, which it was brought in to investigate by the Albanian government.

In addition to the evidence of hackers being entrenched in Albania’s systems for longer than a year, Microsoft also found evidence of email data being exfiltrated as early as October 2021 and this persisted until January 2022.

Exchange logs also revealed the same Iran-linked hackers exfiltrated data from other victims between November 2021 and May 2022 that were consistent with Iran’s past interests, Microsoft said, such as Jordan, Kuwait, and UAE, among others.

The results of the investigation published this week showed how the main hack announced this week, which caused Albania to sever diplomatic ties with Iran, was just the climax of a year-long espionage campaign against it and other targets.

Microsoft was also able to reveal that the attack consisted of four phases with each phase being assigned to a different state-sponsored hacking group.

One group was tasked with probing the victim's infrastructure and another for the exfiltration. A third actor was required to gain the initial access and complete some data theft, and a fourth group was tasked with deploying the ransomware and wiper malware payloads.

The data exfiltration was carried out, at least in part, with the Jason tool - an offensive security tool that’s consistent with activity from Iran-linked groups of the past, such as APT34.

The methods used in the climax of the attack were consistent with previous activity of Iran-linked state-sponsored hackers, too. Microsoft said ransomware was deployed on the victim’s system and then a wiper malware was used after that.

The increased use of wiper malware was among the most popular predictions of cyber security experts at the start of the year.

Speaking to IT Pro in January, Maya Horowitz, director of threat intelligence and research products at Check Point, predicted the increased use of wiper malware and it being especially popular among hacktivists.

The use of wipers has also been observed in the cyber war between Russia and Ukraine - Russia deployed such malware against Ukraine in the early stages of the conflict before stopping seemingly abruptly.

Microsoft said that despite the year-long campaign, the final stage of the attack - the deployment of ransomware and wiper malware - was ‘largely unsuccessful’ since the “attempt at destruction had less than a 10% total impact on the customer environment”.

The hackers went to great lengths to establish themselves in the Albanian government’s systems. Activity included exploitation of vulnerabilities to establish persistence, reconnaissance, credential harvesting, and evasive manoeuvres such as disabling security products.

Why did Iran hack Albania?

The messaging throughout the attack, combined with the target selection and the binaries signed with Iran-linked digital certificates helped to indicate that the culprit of the campaign was Iran.

The ransom note displayed on the Albanian systems made implications that the target of the attack was the Mujahedin-e Khalq (MEK) - the main political opposition in Iran that has been exiled to Albania.

The ransom note also depicted the symbol of the Predatory Sparrow hacking group which is believed to be responsible for several cyber attacks against Iran state-linked targets dating back to 2021.

Such incidents involved Iran’s transport network, its manufacturing companies, and payment systems which ultimately closed petrol stations around the country.

The MEK is believed to be affiliated with the Predatory Sparrow hacking group and most recently it was thought to be behind the attack on the Tehran municipality’s security cameras and the defacement of its website, according to local media.

Iran’s attack on 15 July, revealed earlier this week, followed a string of cyber attacks on Iran and one week before the planned MEK’s ‘Free Iran World Summit’ which was cancelled this year following fears of terrorist targeting.