Albania has severed diplomatic ties with Iran after a series of cyberattacks that kicked off July 15 and targeted multiple Albanian government websites, Albanian Prime Minister Edi Rama said Wednesday.
All Iranian diplomatic and other personnel were given 24 hours to leave the country, Rama said in a video statement.
A previously unknown group calling itself “Homeland Justice” took credit for the attacks. They claimed to be Albanian citizens who were upset by the country hosting members of the Mojahedin-e Khalq, an Iranian opposition group better known as the MEK.
On July 21, the group began posting stolen Albanian government documents to a website and its Telegram channel. It also posted a video purporting to show a ransomware attack on government services and the purported wiping of government files with malware.
The Albanian government said it believes that “Homeland Justice” is a front for an Iranian-backed hacking group.
“In cooperation with specialized partner agencies against cyber terrorism, who brought their teams to Tirana, it was confirmed that first, without a shadow of a doubt, the July 15 attack on Albania was not an individual operation or a concerted action by independent criminal groups, but a state-sponsored aggression,” Rama said.
Investigation had provided “indisputable” evidence that the attack was orchestrated by Iran and was the work of four groups, one of which that had already attacked multiple other countries.
Both the Homeland Justice Telegram channel and the group’s website remain active, posting zip files with additional Albanian material every few days. The most recent post was Aug. 29.
National Security Council Spokesperson Adrienne Watson said in a statement Wednesday that the U.S. “strongly condemns Iran’s cyberattack against our NATO ally, Albania,” and that it “joins Rama’s call for Iran to be held accountable for this unprecedented cyber incident.”
The U.S. “will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” the statement read.
The government of the United Kingdom also condemned the attack Wednesday and said in a statement that the attacks “are the latest in an increasingly reckless pattern of behaviour by Iran.”
Researchers with cybersecurity firm Mandiant said on Aug. 4 they were moderately confident that the activity traced back to the Iranian government. “This activity is a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO member state,” the researchers said at the time. “It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to be working against Iranian interests.”
Mandiant Vice President of Intelligence John Hultquist said Wednesday that this “is possibly the strongest public response to a cyber attack we have ever seen.”
He added that the attack on Albania “is a reminder that while the most aggressive Iranian cyber activity is generally focused in the Middle East region, it is by no means limited to it. Iran will carry out disruptive and destructive cyber attacks as well as complex information operations globally. We are especially wary of these actors as elections approach, given the aggressive posture Iran took in 2020, and we are expecting them and others to continue to harangue our elections moving forward.”
Hultquist added that the attack — along with recent attacks on another NATO country, Montenegro — “is also a reminder that major critical government systems in NATO countries are vulnerable and under attack. Even though the incidents are probably unrelated, regular disruptions to government infrastructure are an alarming trend.”
Updated 9/7/22: To include a statement from the British government.