Jan 06, 2024NewsroomMalware / Cyber Attack

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.

The findings come from cybersecurity company ClearSky, which said the Windows-based malware “crashes the operating system in a way that it cannot be rebooted.”

The intrusions have been attributed to an Iranian “psychological operation group” known as Homeland Justice, which has been active since July 2022, specifically orchestrating destructive attacks against Albania.

On December 24, 2023, the adversary resurfaced after a hiatus, stating it’s “back to destroy supporters of terrorists,” describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People’s Mojahedin Organization of Iran (MEK).

Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.

Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that’s designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).

The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.

This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer’s RAM.

Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.

“Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks,” Check Point disclosed last month.

“By opportunistically targeting U.S. entities using Israeli technology, these hacktivist proxies try to achieve a dual retaliation strategy – claiming to target both Israel and the U.S. in a single, orchestrated cyber assault.”

Cyber Toufan, in particular, has been linked to a deluge of hack-and-leak operations targeting over 100 organizations, wiping infected hosts and releasing stolen data on their Telegram channel.

“They’ve caused so much damage that many of the orgs – almost a third, in fact, haven’t been able to recover,” security researcher Kevin Beaumont said. “Some of these are still fully offline over a month later, and the wiped victims are a mix of private companies and Israeli state government entities.”

Last month, the Israel National Cyber Directorate (INCD) said it’s currently tracking roughly 15 hacker groups associated with Iran, Hamas, and Hezbollah that are maliciously operating in Israeli cyberspace since the onset of the Israel-Hamas war in October 2023.

The agency further noted that the techniques and tactics employed share similarities with those used in the Ukraine-Russia war, leveraging psychological warfare and wiper malware to destroy sensitive information.

Dec 29, 2023NewsroomCyber Attack / Web Security

The Assembly of the Republic of Albania and telecom company One Albania have been targeted by cyber attacks, the country’s National Authority for Electronic Certification and Cyber Security (AKCESK) revealed this week.

“These infrastructures, under the legislation in force, are not currently classified as critical or important information infrastructure,” AKCESK said.

One Albania, which has nearly 1.5 million subscribers, said in a Facebook post on December 25 that it had handled the security incident without any issues and that its services, including mobile, landline, and IPTV, remained unaffected.

AKCESK further noted that the intrusions did not originate from Albanian IP addresses, adding it managed to “identify potential cases in real-time.”

The agency also said that it has been focusing its efforts on identifying the source of the attacks, recovering compromised systems, and implementing security measures to prevent such incidents from happening again in the future.

What’s more, AKCESK said the incident has prompted it to review and strengthen its cybersecurity strategies.

The exact scale and scope of the attacks are currently not known, but an Iranian hacker group called Homeland Justice claimed responsibility on its Telegram channel, alongside stating that it had hacked flag carrier airline Air Albania.

In a message shared on its website on December 24, the outfit said it is “back to destroy supporters of terrorists,” alongside adding the following tags: #albania, #albaniahack, #CyberAttacks, #mek, #MKO, #ncri, #NLA, #pmoi, #Terrorists.

The development comes more than a year after Albanian government services were targeted by destructive cyber attacks in mid-July 2022.

Homeland Justice claimed responsibility for those attacks as well. The development subsequently prompted the U.S. government to sanction Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmail Khatib, for engaging in cyber-enabled activities against the U.S. and its allies.