The initial intrusion into the Albanian government’s networks that eventually led to ransomware deployment and the theft and destruction of data was accomplished by exploiting an old, known vulnerability in a SharePoint server, researchers at Microsoft who helped investigate the incident said in a new analysis of the attack.
While the disruptive portion of the attack didn’t happen until July 15, one of the four Iranian-affiliated attack groups involved in the operation gained access to the Albanian government’s systems as early as May 2021. That group, known as DEV-0861, is a subset of the APT34 team that is also known as OilRig or Europium, and it exploited CVE-2019-0604 to get an initial foothold on the network. Microsoft initially disclosed that flaw in February 2019, and warned that it could lead to remote code execution. After gaining access, the attackers then used a misconfigured service account that was part of a local administrator group. A few months later, the attackers began stealing email from the network.
A separate group, DEV-0166, later followed in DEV-0861’s footsteps and exfiltrated data from the network, as well. Two other groups soon came onto the scene, too. All four of the attack groups are affiliated with Iran’s Ministry of Intelligence and Security, MIcrosoft said, and the tools used in the attack have been seen in previous operations by Iranian state-backed actors.
“The cyberattack on the Albanian government used a common tactic of Iranian state sponsored actors by deploying ransomware first, followed by deployment of the wiper malware. The wiper and ransomware both had forensic links to Iranian state and Iran-affiliated groups. The wiper that DEV-0842 deployed in this attack used the same license key and EldoS RawDisk driver as ZeroCleare, a wiper that Iranian state actors used in an attack on a Middle East energy company in mid-2019,” Microsoft Security Threat Intelligence researchers said.
“In that case, IBM X-Force assessed that actors affiliated with EUROPIUM gained initial access nearly a year ahead of the wiper attack. The wiper attack was subsequently performed by a separate and unknown Iranian actor. This is similar to the chain of events Microsoft detected against the Albanian government.”
“These generic web shells provided the ability to upload files, download files, delete files, rename, execute commands."
The July 15 attack on Albania’s networks was the end result of the preparatory actions these actors took in the months leading up to it. The attack forced the government to take down online public services for some time and disrupted government operations. As a result of the attack, the Albanian prime minister on Wednesday publicly attributed the attack to Iran and severed diplomatic relations with the country. The United States and many other NATO countries also condemned the attack, with the White House saying there would be “further action” to come.
That action came on Friday in the form of the Department of the Treasury's Office of Foreign Asset Control designating the MOIS and the Iranian minister of intelligence, a move that blocks any property in U.S. jurisdictions owned by those entities. It also essentially prohibits Americans from doing any business with them.
“Iran’s cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
The attackers used a variety of tactics and techniques in their operations, including exploiting the SharePoint flaw in order to plant webshells on the compromised server.
“These generic web shells provided the ability to upload files, download files, delete files, rename, execute commands with an option to run as specific user. Following initial access and implant, the threat actor was observed using Mimikatz for credential harvesting and a combination of Impacket and Remote Desktop Clients for lateral movement efforts using the built-in administrator account. Unrecoverable tooling was identified, which highly suggests that reconnaissance efforts were present in the form of file names of executables, resident mailbox data, database, and user details,” the Microsoft researchers said.
The attackers used a custom tool to gather email from the Exchange server without setting off any warnings, and later deployed a separate custom tool to install a binary on endpoints that disabled some components of MIcrosoft Defender. They also used a custom piece of tooling to deploy the ransomware and data wiper.
“Distribution of the encryption and wiping binaries was accomplished with two methods via a custom SMB remote file copy tool Mellona.exe, originally named MassExecuter.exe. The first method remote file copied the ransom binary GoXml.exe and a bat file that triggers the execution of the ransom or wiper on a user login. The second method was by remotely invoking the ransom binary with the Mellona.exe tool, post SMB remote file copy,” the researchers said.
Ultimately, the attack affected about 10 percent of the Albanian government’s network, MIcrosoft said.