Cyberattack against Albania: a cautionary tale
In July 2022, Iranian state cyber actors launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. The advisory released by US based Cybersecurity & Infrastructure Security Agency (CISA) provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. What are the lessons learned?
The research indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access since early 2021, periodically accessing and exfiltrating e-mail content.
That no indicators of compromise were discovered during all that time implies no serious monitoring and breach detection has been deployed in Albania's government institutions. EDR or XDR software and managed security services are still a rarity in the government sector across Southeast Europe. Too often, budget cycles are forcing the IT investment to be concentrated on on-premise hardware purchases without due care on associated maintenance costs.
This also means procurement is less inclined to purchase IT as a service via pay-as-you-go schemes, opting for in-house maintenance that results in poorly run infrastructure with huge hidden costs.
It appears poor maintenance is to blame for the initial access to the system: this was not obtained via phishing (which is the norm these days) but rather via a known (and old) vulnerability in an internet facing Microsoft Sharepoint server. Had this been run via some as-a-service offering (i.e. Microsoft365), it would have been patched as part of the service. In this case however, the improper maintenance left a hole open, documented by Microsoft since early 2019 and published in CISA's Known exploited vulnerabilities catalog.
Once initial access has been obtained, it was a matter of time before elevation of privileges and lateral movement could be achieved. In this case, heavy reliance on Microsoft Active Directory made it easy to compromise additional accounts: the research found evidence of Mimikatz usage and LSASS dumping. These are typically attack techniques used to make progress once inside an Active Directory network. Unfortunately, Active Directory is still seen as a de-facto standard for running an organization's IT infrastructure, at the same time offering threat actors tremendous opportunities for easy lateral movement.
Read more on the cyberattack against Albania government in the CISA advisory.