Iran’s Balkan front: The roots and consequences of Iranian cyberattacks against Albania
by Gerta Zaimi / Photo credits: Middle East Institute
On Sept. 7, Albanian Prime Minister Edi Rama announced in a video statement that a series of damaging hacks of the country’s critical digital infrastructure earlier that summer had been attributed to the Islamic Republic of Iran (IRI), and as a result, his government was terminating diplomatic relations with the Tehran — arguably one of the most profound responses that a sovereign state might take to a cyberattack. Iranian foreign ministry spokesperson Nasser Kanaani condemned Tirana’s decision as “unfounded,” adding that it “only serves the American and Israeli conspiracy.”
But undercutting Kanaani’s denial, just three days later, an Iranian-linked group of hackers calling itself HomeLand Justice targeted a restricted database administered by the Albanian police, before posting the ransacked information to Telegram over the coming weeks.
On Sept. 19, a dozen days after Albania broke off diplomatic relations with the IRI, HomeLand Justice published on its Telegram channel a 47-page document of stolen data. The file contained personal identifying information as well as records of the border crossings of the former general director of the State Police of Albania (Policia e Shtetit), Gladis Nano, and his family.
Less than a month later, on Oct. 3, the same group of cyber actors released another voluminous document, this one over 1.7 gigabytes in size, which exposed 300 identities of persons suspected of criminal acts in Albania. That data dump strongly suggested the hackers had broken into Albania’s sophisticated police communication system called Memex, raising strong concerns about national data protection measures.
More periodic leaks followed. On Oct. 19, the hackers published a file linked to the director of Albanian intelligence, Helidon Bendo, that contained 17 years’ worth of data (2005-2022) from the government’s Total Information Management System (TIMS), again exposing logged entries and exits at the state border. On Nov. 2, the group raised the stakes again by releasing the identities and personal details of 600 Albanian intelligence officers, including their names, emails, and phone numbers. Six days afterward, HomeLand Justice released a video of an Albanian intelligence operation in collaboration with the State Police, which featured footage of then-police chief Nano.
As the Albanian prime minister’s Sept. 7 statement made clear, the early autumn cyberattacks and leaks were not the first time that HomeLand Justice made itself known in the country. Previously, its affiliated hackers had stolen correspondence between ministries, embassies, and even Prime Minister Rama’s emails with Albanian citizens. Each time, the group made these public on Telegram. And on July 15, the offensive cyber actor tweeted that it was planning to carry out cyberattacks against Albania’s digital development and administration body, the National Agency for Information Society (AKSHI). After those summer-time incidents, Albania hired American cybersecurity and software companies Mandiant and Microsoft to investigate.
Iran caught red-handed
Mandiant’s and Microsoft’s reports as well as a separate investigation by the United States’ Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) all came to the same conclusion: Iranian state cyber “actors” — identified as HomeLand Justice — had taken down the websites and services of the government of Albania in July 2022. Mandiant experts believe that the individuals who carried out these attacks wanted to retaliate against the Albanian government for sheltering the Mujahedin e-Khalq (MEK), an Iranian opposition group currently residing in Manëz, Albania.
The FBI-CISA’s report, in turn, reveals that Iranian proxies apparently gained initial entry into the Albanian state network approximately 14 months before launching its devastating cyberattack last summer. The hackers then maintained continuous access to the network.
Experts in the cybersecurity field assess the IRI’s cyberwarfare capabilities as highly effective, even in comparison to traditionally more sophisticated powers like China, Russia, Israel, or the U.S. And like many of these other powers, Iran’s approach in this domain has been to rely on proxy actors to achieve strategic objectives. It has regularly responded to sanctions or perceived provocations through cyberattack campaigns. Indeed, both of these modus operandi were visible in the case of Albania, which is guilty in the Iranian authorities’ eyes for the accommodations this Balkan country has been giving to the MEK.
MEK and Albania
The MEK was founded in Iran in 1965 by radical Iranian students whose shared ideology combined Marxism and Islam. Between 1980 and 1981, the organization gained popular support and emerged as a political-militant opposition force to the new theocratic regime, at which point its adherents were forced to seek exile abroad, eventually ending up in Saddam Hussein’s Iraq, amidst the Iran-Iraq war (1981-1988).
Under intense lobbying from the group and in return for renouncing violence, the United States removed the MEK from its list of terrorist organizations in 2012, where it had been since 1997. Following Saddam’s toppling, the MEK needed to be pulled out of Iraq. The U.S. asked several countries to offer asylum to the group, including Romania. But worried about the possible security consequences involved, Bucharest demurred, prompting Washington and the United Nations to turn to Tirana.
The Albanian government publicly disclosed parts of this deal in March 2013. In agreement with the American authorities, the transfer to Albania of more than 2,000 Iranian mujahedin began in 2016. Soon thereafter, the MEK built the “Ashraf 3” camp in the Manëz area, between Tirana and Durrës.
Undoubtedly, the MEK’s arrival and regrouping in the small Balkan state could not pass without consequences. Giving shelter to the largest Iranian opposition faction, which presents itself as a future government-in-exile, organizes annual political summits, and allegedly carries out cyberattacks against the IRI, automatically pitted Tirana in a diplomatic dispute with Tehran. Over the years, this conflict metastasized, including into the theater of cyberwar.
The consequences of Albania’s hospitality
After Albania severed diplomatic relations with the IRI in early September, Iran’s foreign ministry stated that the charges leveled against the Islamic Republic would “give full support to a terrorist sect,” referring to the MEK, which “continues to play a role as one of America’s tools in perpetrating terrorist acts, cyberattacks” against Iran.
This implicitly served as an admission of guilt by Tehran for the summer-time cyberattacks as well as confirmed the reason behind them. In fact, Iranian covert activities against Albania had been growing for years since the arrival of the MEK to the Balkan country.
In 2018, Albania expelled Gholamhossein Mohammadnia, then the Iranian ambassador to Tirana, and Mostafa Roudaki, the station chief of the Iranian Ministry of Intelligence and Security (MOIS), describing them as “undesirable elements” involved in “illegal actions against [Albanian] national security.” In 2020, other evictions took place. Two diplomats of the Iranian embassy, Mohammad Ali Arz Peimanemati and Seyed Ahmad Hosseini Alast, were forced to leave Albania and declared persona non grata.
That same year, Danial Kassrae, an Iranian with Italian citizenship, was deported from Albania, accused of espionage on behalf of MOIS to gather information on the MEK. In October 2020, Albanian authorities arrested Iranian citizen Bijan Pooladrag on five charges related to terrorism and tampering with computer data. Last week, Pooladrag was sentenced to 15 years in prison. He was declared guilty of the charge of financial actions with persons or organizations related to terrorism and of participating in a terrorist organization.
In 2021, three Iranian journalists, Mohammad Alavi-Gonabadi, Firouz Baghernejad, and Mohammad Heydar Allauddin, were deported from Albania. All three supposedly worked for MOIS and sought to gather information on the MEK.
In July 2022, the Albanian Special Anti-Corruption Structure (Struktura e Posaçme Anti-Korrupsion, SPAK), an independent judicial entity tasked with investigating high-level corruption and organized crime, at the request of the Special Prosecutor’s Office, detained and interrogated 20 Iranians, all former MEK members, for espionage in the service of the Iranian regime.
Additionally, the annual MEK summit, scheduled to be held later that same month, on July 23-24, at Camp Ashraf 3 in Manëz, was postponed (finally held on Sept. 5) due to an apparent threat of a terrorist attack against the proceedings. The decision was motivated by the Albanian government’s recommendation as well as a July 21 warning from the U.S. embassy that the IRI was allegedly planning to violently disrupt the event. A few days later, the Iranian news agency Fars, which is associated with the Islamic Revolutionary Guard Corps (IRGC), asserted that Iran could attack the MEK in Albania with drones and missiles.
Evidence of Iran’s special operations targeting Albania continued to mount over the following weeks. In August, the Albanian police detained Batool Soltani and her husband, Afshin Kalantari, the former holding dual Iranian-German citizenship, and held them for 72 hours before deporting them to Germany. Albanian police identified them as a national security risk and suspected them of trying to carry out terrorist attacks in the country.
Soltani and Kalantari had come at the invitation of the Association for the Support of Iranians Living in Albania (ASILA), a Tirana-based organization founded in November 2021 that claims to assist former MEK members who left the group as well as to promote cultural exchange between Iran and Albania. However, Albanian authorities have long suspected ASILA of creating an agent network with the goal of obtaining detailed information about MEK members living in the camp in Manëz. At the same time, SPAK is actively investigating ASILA’s ties to the Iranian government. Indeed, ASILA’s own activities are conspicuously promoted online by the Nexhat Association, an organization based in Tehran whose stated aim is “rescuing comrades who are still subjectively and even objectively enslaved by this Organization [the MEK] and to help their suffering families.”
Going forward, Iran’s attacks on Albania can be expected to continue but probably at a lower intensity. This is mainly because Iranian intelligence has lost much of its presence on the ground following the closure of the IRI embassy — a presence built up and cultivated over three decades and one that local proxy networks cannot replace. The main weapon left in Tehran’s hands is, thus, hacking and sabotage of national computer networks.
Albania became an Iranian target in the first place because it agreed to host the Iranian opposition group MEK on its territory, because it is an enthusiastic member of the North Atlantic Treaty Organization (NATO) — which Supreme Leader Ali Khamenei notably vilified last summer, in the presence of Russian President Vladimir Putin — and because Tirana steadfastly stands as one of the key supporters of American interests in the Western Balkans, where the IRI seeks to pursue both covert and overt interests.
Consequently, Albania needs more support in the cybersecurity realm from the U.S. and its allies not only financially but also in terms of improving its domestic knowledge and technology base. Undoubtedly, the Alliance has taken this year’s cyberattacks against Albania seriously, as emphasized in a Sept. 8 statement by the North Atlantic Council: “We will continue raising our guard against such malicious cyber activities in the future, and support each other to deter, defend against and counter the full spectrum of cyber threats, including by considering possible collective responses.”
So long as Albania remains in Tehran’s sights, the country will continue to depend on allied support in the cyberwarfare space.
The original article is available here: https://www.mei.edu/publications/irans-balkan-front-roots-and-consequences-iranian-cyberattacks-against-albania