A threat actor behind a set of disruptive cyberattacks against Albanian government services is now linked with Iran
The attack took place on mid july 2022, forced the government to temporarily close access to online public services and other government websites because of a synchronized and sophisticated cybercriminal attack from outside Albania.
This disruptive operation, lead to the deployment of a new ransomware family called ROADSWEEP.
An Albanian user submitted a sample for what’s called ZeroCleare on July 19, coinciding with the attacks.
ZeroCleare, targeting the industrial and energy sectors in the Middle East, is designed to wipe the MBR and disk partitions on Windows-based machines. It’s believed to be a collaborative effort between different Iranian nation-state actors, including OilRig.
An unknown backdoor dubbed CHIMNEYSWEEP also deployed that’s capable of taking screenshots, listing and collecting files, spawning a reverse shell, and supporting keylogging functionality.
The earliest iterations of CHIMNEYSWEEP date back to 2012 and indications are that the malware may have been utilized in attacks aimed at Farsi and Arabic speakers.
The connections to Iran stem from the fact that the attacks took place less than a week prior to the World Summit of Free Iran conference on July 23-24 near the port city of Durres by entities opposing the Iranian government, particularly the members of the MEK.
This research was conducted and documented by researchers from Mandiant
Indicators of Compromise