On September 6, Albania severed diplomatic ties with Iran over an alleged cyberattack on July 15. Iran had tried to “paralyze public services and hack data and electronic communications from the government systems,” Prime Minister Edi Rama said in a statement. Tehran had allegedly directed four groups to hack into and disable Albania government websites; one group had previously conducted cyberattacks on Cyprus, Israel, Jordan, Kuwait, Saudi Arabia, and the United Arab Emirates.
No country has ever cut off diplomatic relations because of a cyberattack. Albania gave Iranian embassy staff 24 hours to leave the country. Staff appeared to be burning documents in a barrel amid a flurry of activity inside the embassy grounds.
Iran denied involvement in the cyberattack. On September 8, the foreign ministry criticized Albania for cutting off ties and instead blamed Tirana for hosting a “terrorist cult,” a reference to the Mujahedin-e Khalq (MEK). The MEK is a militant opposition group with thousands of members living in exile. Iran and Albania have had a contentious relationship since 2014, when the Balkan country granted asylum to some 3,000 MEK members who had been living in Iraq.
The United States blamed Iran for the cyberattack of a NATO ally. “The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” National Security Council Spokesperson Adrienne Watson said on September 7. “Iran’s conduct disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public.” The Federal Bureau of Investigation and Microsoft have been working with Albania to investigate the incident.
On September 9, the United States sanctioned Iran’s intelligence ministry and minister for the cyberattack. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson said.
The attack may have wider implications since Albania is a member of NATO and European Union, which both pledged to support the small east European country. “We will continue raising our guard against such malicious cyber activities in the future, and support each other to deter, defend against and counter the full spectrum of cyber threats, including by considering possible collective responses,” NATO warned in a statement. E.U. foreign policy chief Josep Borrell expressed “full solidarity” with Albania. “We strongly condemn such unacceptable behavior in cyberspace, which goes against agreed norms of responsible state behavior.”
On September 11, Albania blamed Iran for another cyberattack that occurred two days earlier. The “same aggressors” responsible for the July incident targeted Albanian state police systems.
The MEK Connection
The MEK is a Marxist-Islamist movement committed to ousting Iran’s theocratic government. Founded in 1965, it started as an urban guerilla group opposed to Iran’s monarchy. It allegedly killed six Americans during its campaign against the Shah’s regime in the 1970s.
The MEK participated in the 1979 revolution but later broke with the new Islamic government over political and ideological differences. Since the early 1980s, the MEK has reportedly deadly attacks against Iranian officials. Its members went into exile or underground in 1981. The MEK fought for Iraq under President Saddam Hussein during the 1980-1988 war with Iran. After the war, it continued to carry out bombings on Iranian targets. The group has reportedly killed hundreds and possibly thousands of Iranians.
The MEK attempted an attack against the Iranian mission to the United Nations in 1992. The State Department added the militant group to the terrorism list in 1997. In 2003, the organization renounced violence and subsequently sued the State Department to be removed from the U.S. list of foreign terrorist organizations. It won the suit in 2012.
In 2014, with U.S. backing, Albania granted safe haven to thousands of MEK members still in Iraq. The group built a fortified compound near Durres, Albania’s main port. Albania has repeatedly foiled attacks by Iranian agents targeting the MEK. In 2018, Albania expelled the Iranian ambassador and another diplomat for “damaging its national security.” In 2019, Tirana expelled two other Iranian envoys. In July 2022, the MEK canceled their annual conference in Albania for “security reasons and due to terrorist threats and conspiracies.” The following are statements by Albania, the United States, NATO, and the European Union on the cyberattack.
Albanian Prime Minister Edi Rama on Sept. 7, 2022:
On July 15, our country became the target of a heavy cyberattack on the digital infrastructure of the Government of the Republic of Albania in a bid to destroy it, paralyse public services and hack data and electronic communications from the government systems. The said attack failed its purpose. Damages may be considered minimal compared to the goals of the aggressor. All systems came back fully operational and there was no irreversible wiping of data.
For weeks now, while work has been ongoing 24/7 to restore all damages, thorough investigations have been conducted to identify the aggressor. In cooperation with specialized partner agencies against cyber terrorism, who brought their teams to Tirana, it was confirmed that, first, without a shadow of doubt, the July 15 attack on Albania was not an individual operation or a concerted action by independent criminal groups, but a State-sponsored aggression. The in-depth investigation provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression – one of them being a notorious international cyber-terrorist group, which has been a perpetrator or co-perpetrator of earlier cyberattacks targeting Israel, Saudi Arabia, UAE, Jordan, Kuwait and Cyprus.
We have informed accordingly our strategic allies, the NATO Member States and other friendly countries, with whom we have shared the irrefutable evidence resulting from the investigation that corroborate the source of the aggression against our country. As above, the Council of Ministers has decided on the severance of diplomatic relations with the Islamic Republic of Iran with immediate effect. An official notice of the decision has been sent to the Embassy of the Islamic Republic of Iran, asking that all the diplomatic, technical and administrative, and security staff leave within 24 hours the territory of the Republic of Albania.
This extreme response, one that is unwanted but totally forced on us, is fully proportionate to the gravity and risk of the cyberattack that threatened to paralyse public services, erase digital systems and hack into State records, steal Government intranet electronic communication and stir chaos and insecurity in the country. Failure of this massive attack on our country thanks to the resilience of the systems we have built and the assistance of specialised groups who fought on our side is not the end of the cyber threat, but the clear proof that, thanks to its digital development, Albania is part of the large map of the battle for cyber security. The good news, however, is that we know what to do and how to do it to prevent anyone from harming us, just like we know that we will do the right things in the right way, also because we have the right partners on our side.
U.S. National Security Council Spokesperson Adrienne Watson in a statement on Sept. 7, 2022:
The United States strongly condemns Iran’s cyberattack against our NATO Ally, Albania. We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident. The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace.
For weeks, the U.S. government has been on the ground working alongside private sector partners to support Albania’s efforts to mitigate, recover from, and investigate the July 15 cyberattack that destroyed government data and disrupted government services to the public. We have concluded that the Government of Iran conducted this reckless and irresponsible cyberattack and that it is responsible for subsequent hack and leak operations.
Iran’s conduct disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public. Albania views impacted government networks as critical infrastructure. Malicious cyber activity by a State that intentionally damages critical infrastructure or otherwise impairs its use and operation to provide services to the public can have cascading domestic, regional, and global effects; pose an elevated risk of harm to the population; and may lead to escalation and conflict.
We will continue to support Albania’s remediation efforts over the longer-term, and we invite partners and Allies to join us in holding malicious cyber actors accountable and building a secure and resilient digital future.
U.S. Treasury Department in a statement on Sept. 9, 2022:
Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for engaging in cyber-enabled activities against the United States and its allies. Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors. In July 2022, cyber threat actors assessed to be sponsored by the Government of Iran and MOIS disrupted Albanian government computer systems, forcing the government to suspend online public services for its citizens.
“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as amended, which targets those who engage in malicious cyber activities. MOIS was previously designated pursuant to Executive Orders 13224, 13472, and 13553 for its support to multiple terrorist groups and for being responsible for, or complicit in, the commission of serious human rights abuses against the Iranian people.
MOIS AND ITS CYBER THREAT ACTOR NETWORKS
The MOIS, under the leadership of Esmail Khatib, directs several networks of cyber threat actors involved in cyber espionage and ransomware attacks in support of Iran’s political goals. In addition to conducting malicious cyber activity that affected Albanian government websites, MOIS cyber actors were also responsible for the leaking of documents purported to be from the Albanian government and personal information associated with Albanian residents.
Earlier this year, the United States identified a group of advanced persistent threat (APT) actors, known as MuddyWater, as a subordinate element within MOIS that has been conducting broad cyber campaigns in support of the organization’s objectives since approximately 2018. MuddyWater actors are known to exploit publicly reported vulnerabilities to gain access to sensitive data on victims’ systems, deploy ransomware, and disrupt the operations of private organizations. As recently as November 2021, MuddyWater was assessed to be involved in a cyber campaign targeting Turkish government entities and delivering documents containing malware likely through spear-phishing emails to gain access to victims’ systems.
APT39, which OFAC designated pursuant to E.O. 13553 on September 17, 2020, for being owned or controlled by MOIS, is another cyber espionage group that Iran has used to advance its malign objectives. APT39 has engaged in widespread theft of personal identifying information, probably to support surveillance operations that enable Iran’s human rights abuses. Concurrent with the U.S. designation of APT39 and Government of Iran-front company Rana Intelligence Computing Company, the Federal Bureau of Investigation exposed MOIS’ years-long malware campaign that targeted and monitored Iranian citizens, dissidents, and journalists, as well as a host of foreign organizations that included at least 15 U.S. companies.
The MOIS is being designated today pursuant to E.O. 13694, as amended, for being responsible for, or complicit in, directly or indirectly, cyber-enabled activity that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security of the United States, and that have the purpose or effect of causing a significant disruption to the availability of a computer or network of computers.
Esmail Khatib is being designated today pursuant to E.O. 13694, as amended, for having acted or purported to act for or on behalf of, directly or indirectly, the MOIS.
As a result of today’s designation, all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities that are owned 50 percent or more by one or more designated persons are also blocked. All transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt. These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
In addition, non-U.S. persons that engage in certain transactions with the persons designated today may themselves be exposed to designation. Furthermore, any foreign financial institution that knowingly conducts or facilitates a significant transaction for or on behalf of the persons designated today could be subject to U.S. correspondent or payable-through account sanctions.
The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list.
NATO in statement on Sept. 8, 2022:
- We stand in solidarity with Albania following the recent cyber attack on its national information infrastructure. Allies acknowledge the statements by Albania and other Allies attributing the responsibility for the cyber attack to the Government of Iran. We strongly condemn such malicious cyber activities designed to destabilise and harm the security of an Ally, and disrupt the daily lives of citizens. NATO and Allies support Albania in strengthening its cyber defence capabilities to withstand and repel such malicious cyber activities in the future.
- Malign actors seek to degrade our critical infrastructure, interfere with our government services, extract intelligence, steal intellectual property and impede our military activities. Allies are committed to protecting their critical infrastructure, building resilience and bolstering their cyber defences. We will continue raising our guard against such malicious cyber activities in the future, and support each other to deter, defend against and counter the full spectrum of cyber threats, including by considering possible collective responses.
- We promote a free, open, peaceful and secure cyberspace. We pursue efforts to enhance stability and reduce the risks of conflict by promoting respect for international law, and the voluntary norms of responsible state behaviour in cyberspace, as recognised by all members of the United Nations. We call on all States to respect their international commitments to upholding a norms-based approach to cyberspace.
E.U. foreign policy chief Josep Borrell in a statement on Sept. 8, 2022:
The European Union, together with NATO and international partners, expresses full solidarity with Albania and concern following the malicious cyber activities in July. The attack directly targeted critical infrastructure and affected the delivery of public services to people and businesses in Albania. We strongly condemn such unacceptable behaviour in cyberspace, which goes against agreed norms of responsible state behaviour, as repeatedly endorsed by all UN Member States.
Such destabilizing and irresponsible behaviour seeking to threaten Albania's integrity and security, democratic values and principles, and attempting to undermine democratic institutions and societies at large, is unacceptable.
The European Union, together with NATO and international partners, stands ready to support Albania’s cyber resilience building on our existing cooperation on cybersecurity.
In line with the EU Cybersecurity Strategy and the Strategic Compass, the European Union is determined to prevent cyberattacks through enhanced resilience and by responding firmly to cyberattacks against the EU and its Member States and is committed to assisting building up cyber security resilience in candidate and other countries, using all available EU tools. We continue to monitor the situation carefully and stand ready to take further steps where necessary to support Albania.