The tone is firm, the accusation clear and the decision unprecedented: on Wednesday 7 September, Albanian Prime Minister Edi Rama announced, in particular in a video released on the Internet, the end of diplomatic relations between his country and Iran. Diplomats and employees of the Iranian embassy in Tirana have 24 hours to pack their bags and return to Tehran.
The reason for this sudden and cold anger? The great cyber attack that hit the small Balkan country in the middle of summer. In mid-July, the authorities had to disconnect the government’s computer systems to ward off an attack by ransomware, a program that makes data inaccessible and demands a ransom from the victim. The attack, the premier protested in his message, was targeted “destroy the digital infrastructure of the government of the Republic of Albania, paralyze public services, hack data and communications from government systems”.
Typically, ransomware is used by the digital underworld for extortion purposes. However, “The July 15 attack was not an individual act or concerted action by a group of independent cybercriminals, but an assault by a state”Mr. Rama wanted to clarify. “A thorough investigation allowed us to uncover irrefutable evidence that this attack on our country was orchestrated and supported by the Islamic Republic of Iran”continued the Prime Minister.
This accusation is not entirely surprising. One of the ransomware used in the attack and analyzed by the Mandiant company, close to the American authorities, carried a message that left little doubt about the motivation and sponsor of the attackers. “Why should our taxes be used for the benefit of terrorists in Durres? “wrote the virus on the infected computers.
Concomitance with a meeting of opponents in Tehran
The mention by pirates of this city located about thirty kilometers west of the Albanian capital, Tirana, owes nothing to chance: it was nearby that a meeting of the People’s Mojahedin Organization of Iran (PMOI) was held . This Islamic-Marxist movement, a hated opponent of the Tehran regime, regularly gains Albania’s attacks from Iran. In fact, since 2013, a significant number of its members have found refuge in the country, at the request of the United States and the UN. The meeting of the organization, scheduled for the end of July, was definitively canceled for nebulous security reasons, fearing attacks by the authorities. The cyber attack was therefore not cited as one of the reasons for this cancellation.
The concomitance of the attack with the large gathering of the PMOI and some technical elements had led, since the summer, many observers to point the finger at Tehran. At the beginning of August, the Mandiant company noted, for example, that the same pirates who had attacked Albania had, in the past, targeted targets close to the opposition to the regime in place in Tehran, which suggested that this group was probably of Iranian origin. Furthermore, in the past, the PMOI has been targeted by Iranian hackers through attacks and disinformation operations.
More generally, Tehran does not hesitate to resort to violence in its fight against the PMOI. The Belgian justice thus confirmed this year the conviction of three Belgians-Iranians for having fomented an attack, finally thwarted, against a meeting of the National Council of Iranian Resistance organized in Villepinte, on the outskirts of Paris, in 2018. whose PMOI trains more than troops.
In recent years, Albania has already expelled two Iranian diplomats serving in the country, accusing them of threatening them “national security”. But the rupture of diplomatic relations seems to be a further step in the tensions between the two countries.
Attack condemned by the White House
Especially since the United States immediately supported Albania. Washington plays a leading role in this affair: American experts went as soon as the attack broke out to help the Albanian government limit the offensive and investigate those responsible.
The White House supported the Albanian denunciation through a press releasecondemning “firmly” this cyber attack “Without precedents” against a country “NATO ally” that makes a mockery, according to her, of the “Standards of responsible behavior in cyberspace”in this case by attacking “Critical infrastructures providing public services”.
“Harmful activity carried out by a state that intentionally damages infrastructure (…) it can have cascading national, regional and global consequences and can lead to escalations and conflicts “the press release continues. “The United States will act to hold Iran accountable for actions that threaten the security of an ally”also warns the White House.
If the American reaction is classic, Judge Aude Géry, Ph.D. in public international law and cyberspace specialist, now wonders if the European Union (EU) will join its voice to that of the Americans, given “of the EU’s ongoing rapprochement with Albania and its neighbors, including on IT issues”.
Several hacker groups believed to be close to the Iranian authorities have waged relentless guerilla warfare against Israeli targets for months. More rare are the examples of attacks on NATO member countries and neighboring Europe such as Albania. According to Mandiant, the July attack constitutes this “Particularly daring operation” and it might suggest that the Iranian computer apparatus is less cautious when it comes to attacking countries “Perceived as a work against Iranian interests”.