US imposes sanctions on Iran over a cyberattack on Albania

The US Treasury Department has sanctioned Iran’s Ministry of Intelligence and Security (MOIS) and minister Esmail Khatib for cyber activities against the United States and its allies.

“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”

Albania’s prime minister Edi Rama ordered Iranian embassy staff to leave the country, finding out that Iran was behind a heavy yet unsuccessful attempt to hack government systems and paralyze public services this July.

Microsoft released a detailed report of the attack, assessing with high confidence that multiple attackers were behind it: DEV-0842 deployed the ransomware and wiper malware, DEV-0861 gained initial access and exfiltrated data, DEV-0166 exfiltrated data, and DEV-0133 probed victim infrastructure.

Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors, the Treasury said.

In January, US Cyber Command attributed an advanced persistent threat (APT) group Muddy Water to MOIS. The group has been conducting “ broad cyber campaigns in support of the organization’s objectives since approximately 2018.” Muddy Watter exploits known vulnerabilities to gain access to sensitive data on victims’ systems, deploy ransomware, and disrupt the operations of private organizations.

“As recently as November 2021, MuddyWater was assessed to be involved in a cyber campaign targeting Turkish government entities and delivering documents containing malware likely through spear-phishing emails to gain access to victims’ systems,” the Treasury said.

There are more threat actors associated with Iran. The threat group UNC3890 is going after Israel’s shipping, aviation, healthcare, and energy sectors. Bohrium targets users in the Middle East, India, and the US. Charming Kitten stands out in its attempts to compromise high-value accounts in government, academia, NGOs, national security, and journalism.

On September 7, Microsoft published a blog post detailing another Iran-linked threat actor, Nemesis Kitten, a sub-group on Phosphorus, saying it conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.

Last year, Phosphorus targeted potential attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia last year.

As a result of newly imposed sanctions, all property of the designated targets is blocked. Any entity owned 50% or more by designated persons is also blocked.