Albanian Organizations Targeted by Wiper Malware in Renewed Cyber Offensive
A new surge of cyberattacks has been observed against Albanian organizations, primarily utilizing a destructive wiper malware identified as No-Justice. This attack, reported by ClearSky, a cybersecurity firm, has led to significant disruptions for the victims by crashing their Windows operating systems so severely that they cannot be restarted or recovered.
The campaign has been linked to an Iranian group known as Homeland Justice, which has been active since mid-2022, strategically targeting Albania. On December 24, 2023, the group announced their return to operations after a period of inactivity, publicly stating their intent to "destroy supporters of terrorists" and labeling their latest effort as #DestroyDurresMilitaryCamp. This campaign is notably focused on Durrës, a city hosting the dissident group People’s Mojahedin Organization of Iran (MEK), elevating the geopolitical stakes of these digital attacks.
Entities affected by this malicious onslaught include ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament. Among the tools employed in the attacks, an executable for the wiper malware and a PowerShell script designed to propagate the malware across the network were notable. This PowerShell script leverages Windows Remote Management (WinRM) to facilitate the infection process across multiple machines within the targeted environments.
The No-Justice wiper malware, specifically designed under the guise of an executable file (NACL.exe), necessitates administrator privileges to function effectively. Its primary destructive capability lies in its ability to erase the boot signature from the Master Boot Record (MBR), which is vital for initiating the operating system. Consequently, this method renders the affected systems inoperable, showcasing a severe loss of critical data.
In addition to the wiper, attackers deployed legitimate software tools, including Plink, RevSocks, and components from the Windows 2000 resource kit to support their reconnaissance efforts, lateral movement, and maintain persistent access to the targeted systems. These techniques align with tactics outlined in the MITRE ATT&CK framework, including Persistence and Credential Access, which may have been instrumental in maintaining foothold within the networks of the targeted organizations.
The current wave of cyber activity coincides with broader trends in cyber warfare, particularly from pro-Iranian actors such as Cyber Av3ngers and Cyber Toufan, who are increasingly directing their efforts toward Israel and the U.S. Amid rising geopolitical tensions, these groups appear to be adopting a narrative of retaliation, launching attacks that simultaneously target both U.S. and Israeli assets as part of a coordinated strategy.
Recent intelligence indicates that Cyber Toufan has perpetrated numerous such hack-and-leak operations, frequently wiping infected systems and distributing stolen data via their Telegram channel. This strategy has left many organizations grappling with significant losses, with estimates suggesting that nearly one-third are still unable to recover their operations over a month post-attack.
The Israel National Cyber Directorate has reported tracking approximately 15 hacker groups connected to Iran, Hamas, and Hezbollah conducting malicious cyber operations within Israeli cyberspace since the escalation of conflict between Israel and Hamas in October 2023. This activity mirrors tactics previously observed in the Ukraine-Russia conflict, employing psychological tactics and wiper malware to compromise sensitive information.
As these cyber threats evolve, business owners must remain vigilant in understanding the risks associated with such attacks, particularly in light of the sophisticated methods employed by these adversarial groups. Implementing robust cybersecurity measures and staying informed about potential vulnerabilities is essential in mitigating the impact of such disruptive campaigns.
