Wiper malware found in analysis of Iran-linked attacks on Albanian institutions

Jason Macuray
During the wave of attacks on Albanian organizations earlier in December, Iran-linked hackers used wiper malware that researchers are calling No-Justice.

During the wave of attacks on Albanian organizations earlier in December, Iran-linked hackers used wiper malware that researchers are calling No-Justice.

The attacks, attributed to the Iranian threat actor Homeland Justice, targeted the Albanian parliament, two local telecom companies (ONE Albania and Eagle Mobile), and Albania’s flag air carrier (Air Albania). The hackers claimed to have stolen data from the targeted systems, but this claim has not been confirmed yet.

Researchers at the Israel-based cybersecurity firm ClearSky identified two main tools used in this campaign: No-Justice, which can crash the targeted Windows operating system “in a way that it cannot be rebooted,” and a PowerShell script designed “to copy and propagate the wiper to other machines in the organizational network before its activation.”

No-Justice had a valid digital signature to appear legitimate and required administrator privileges to wipe the data from the victim’s computer, researchers said.

The hackers likely used publicly available tools for the attack, including a set of network communication software utilities called Plink; a tool named RevSocks, employed for data exfiltration, command and control, or maintaining persistent access in a compromised network; and the Windows 2000 resource kit, which can be used for reconnaissance and persistent remote access.

The extent of the damage is still not clear. Earlier in December, local media reported that during the attack on the parliament, hackers attempted to interfere with the infrastructure and delete data but were unsuccessful.

ClearSky estimates that Homeland Justice’s operations may threaten other countries.

The latest attacks on Albania were a possible retaliation for its government sheltering members of the Iranian opposition group Mujahedeen-e-Khalq, or MEK, in the Albanian county of Durrës — the hackers named their campaign “Destroy Durres Military Camp.”

According to ClearSky’s report, the attack on the Albanian parliament followed the publication of an image showing Albanian parliament members together with Mariam Rajavi, president of MEK.

Homeland Justice launched its first campaign against Albania last July, targeting the country’s e-government systems right before MEK’s planned conference. The conference was canceled following the attack.

In September, Albania reported that hackers linked to Iran’s government targeted computer systems used by the national police to track individuals entering and leaving the country. The attack prompted authorities to shut down computer control systems at border crossings and airports.

Researchers described Homeland Justice as an “Iranian psychological operation group.” It is likely state-sponsored.

MalwareNation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Investigation of xDedic cybercrime site reaches ‘culmination,’ US says

Next Post

Bangladesh official alleges cyberattack ‘from Ukraine and Germany’ targeted election

Related Posts

Ivanti Warns of Active Exploitation of Newly Patched Cloud Appliance Vulnerability

Ivanti has revealed that a newly patched security flaw in its Cloud Service Appliance (CSA) has come under active exploitation in the wild. The high-severity vulnerability in question is CVE-2024-8190 (CVSS score: 7.2), which allows remote code execution under certain circumstances. "An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows
Omega Balla
Read More

Chinese Engineer Charged in U.S. for Years-Long Cyber Espionage Targeting NASA and Military

A Chinese national has been indicted in the U.S. on charges of conducting a "multi-year" spear-phishing campaign to obtain unauthorized access to computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies. Song Wu, 39, has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft.
Avatar
Read More