Source: NY Times
Feb 25, 2023
Albania has been the target of repeated digital assaults believed to be linked to its sheltering of an Iranian dissident group on its soil.
TIRANA, Albania — Customers at one of Albania’s biggest banks got a shock shortly before Christmas when a curt text popped up on their cellphones: “Your account has been blocked. The balance of your account is zero. Thank you.”
The messages, which turned out be fake, signaled the opening of a disruptive new front in what Albanian authorities, the United States and NATO have identified as an enormous cyberattack orchestrated by Iran on one of the weakest members of the military alliance.
“It is an attack — an aggression against the sovereignty of one country by another state,” Prime Minister Edi Rama said in an interview in Tirana, the Albanian capital, calling the assaults “absolutely the same as a conventional military aggression only by other means.”
The onslaught has swept Albania, a Balkan nation with fewer than three million people, into a maelstrom of uncertainty and plunged it into big geopolitical battles involving Iran, Israel and the United States.
The reason for the attacks, which began with a stealthy penetration of government servers in 2021, but started causing visible disruption only last year, appears to be Albania’s sheltering of Mujahedeen Khalq, known as M.E.K., a secretive Iranian dissident group, on its soil.
Also playing a role are the polarized politics of Washington, where prominent Republican hawks on Iran have been strong backers of M.E.K.
Hired by the Albanian government to investigate, Microsoft, in a report on the attack, attributed it with “high confidence” to “actors sponsored by the Iranian government,” identifying M.E.K. as the “primary target.” The campaign against Albania, the report added, was probably “retaliation for cyberattacks Iran perceives were carried out by Israel” and Mujahedden Khalq.
A logo stamped on confidential Albanian documents leaked by the attackers features an eagle preying on the symbol of a hacking group known as Predatory Sparrow — which Iran blames for attacks on its own computer networks — inside a Star of David.
Predatory Sparrow has claimed responsibility for a number of sophisticated attacks against Iranian targets, including the state broadcasting company.
Albania, which has a large, mostly secular Muslim population, severed relations with the Islamic Republic of Iran in September, expelling its diplomats in response to what experts say is the most disruptive cyberattack in Europe on a NATO member since 2007, when Russia assailed computer networks in Estonia.
The attack on Albania has not only disrupted the government’s work and sought to undermine trust in financial institutions — a grave threat in a country that tipped into civil war in 1997 after fraudulent investment funds collapsed — but it has also involved the leak of a vast trove of confidential information.
Leaked data includes the names and addresses of more than a thousand undercover police informants; the email traffic of the head of the intelligence service, a former president and the former chief of police; and the banking information for more than 30,000 people.
The gravity of the sprawling assault has posed a tricky test for NATO, of which Albania is a member and enjoys protection under the alliance’s commitment to collective defense. (NATO says there was no effect on its networks or military operations.) Albania has been a member since 2009, one of 14 formerly Communist countries to join.
Article 5, the cornerstone of the alliance, says “an armed attack” against any of the allies in Europe or North America “shall be considered an attack against them all.”
The entrance gate to the camp housing Mujahedeen Khalq, known as M.E.K., a secretive Iranian dissident group, in 2020. A Telegram channel used by the attackers has featured regular posts denouncing the group as terrorists and demanding that Albania shut down a camp.Credit...Tara Todras-Whitehill for The New York Times
But cyberattacks, Mr. Rama said, are a different form of aggression, and, in terms of doctrine, “events are running ahead of us when it comes to” them. Because of this, he said, Albania has not invoked Article 5. “How does the alliance respond? By attacking the defined country through cyber, by using military means or by what?” he said.
NATO has limited itself to pledges to “support Albania in strengthening its cyberdefense capabilities” and denouncing “malicious cyberactivities designed to destabilize and harm the security of an ally and disrupt the daily lives of citizens.”
The attack on Albania began in 2021 when hackers penetrated an unprotected government computer and then expanded from that beachhead into networks used by the Albanian intelligence service, the police, border guards and other official agencies.
Lurking there for many months unbeknown to the authorities, they downloaded huge quantities of data and then broke cover last summer when they started deleting files from servers, crippling many government services. After that, they started leaking selected information, much of it secret, on a Telegram messaging service channel called Homeland Justice.
Just as officials thought that holes in Albania’s defenses had been plugged, the hackers turned on the private sector, hitting at least one major bank, Credins Bank, with fake messages of drained accounts and releasing confidential personal banking information.
“It just goes on and on,” Mr. Rama lamented. “This is a terrorist attack designed to create panic, to create fear, to fuel insecurity and to make people believe that nothing is under control,” he added. “They have planted ticking bombs everywhere with no clear pattern about when and where these bombs will blow up next.”
But the ultimate target of the attack seems reasonably clear. The Homeland Justice channel has featured regular posts denouncing M.E.K., the Iranian opposition group, as terrorists and demanding that Albania shut down a camp run by the group near the port city of Durres or face further mayhem.
Former members describe M.E.K., which in 2016 moved many of its followers to Albania from its previous base in Iraq, as a sinister cult. The United States classified it a terrorist outfit until 2012, but leaned on Albania to offer shelter to thousands of its members after their camp in Iraq came under attack from pro-Iran militias
“Welcome to hell…You serpents! You brood of vipers! How are you to escape being sentenced to hell?” said a message posted on the hackers’ Telegram channel in December after Albania declined to close the M.E.K. camp. “As long as MEK exists so do we,” the hackers warned. “Why should our taxes be spent on the terrorists of Durres?” asked another message.
To reduce the risk of panic, the Albanian government prohibited news outlets from publishing information leaked on the Homeland Justice channel. The United States has dispatched experts from the F.B.I. and other agencies, though Mr. Rama said, “Of course we would like to see the U.S. government do more, to help more and be more present in helping us to build the best possible cyberdefenses.” Israel, which has extensive experience dealing with Iranian threats, is also helping.
But these efforts, according to Gentian Progni, a cybersecurity expert in Tirana, left suspected Iranian hackers lurking in Albania’s networks until at least the end of January. He noted that they posted online a government identification document generated on Jan. 29.
“We were told the hackers were no longer inside the system, but we can see they are still there,” Mr. Progni said in an interview last month. “This is a big mess and more serious than anyone thinks.”
Defectors from M.E.K. question whether Iran is behind the attack and believe the real culprit could be the opposition group itself.
There are some signs indicating that actors other than the Iranian state have been involved. These include the mysterious appearance of a second Telegram channel calling itself Homeland Justice. The new, fake channel contains many of the same posts as the original one linked to Iran but is curated to delete content that is particularly embarrassing to the Albanian government, like secret lists of police informants, and to add content apparently aimed at amplifying hostility to Iran.
The genuine Homeland Justice channel, in contrast, has sought to calm public outrage over the attack by repeatedly stressing that its target is not ordinary Albanians but M.E.K. and the Albanian government for refusing to expel the group.
The Albanian government has resisted succumbing to blackmail and has refused to evict M.E.K. Doing that, Mr. Rama said, would be “the biggest shame” for a country with a long history of sheltering refugees nobody else wants, including thousands of Afghans in 2021.
But he complained that M.E.K. were “not easy people, frankly,” and that the group had violated an agreement that it would refrain from using Albania as “a safe haven to make political activity against the Iranian regime.”Instead, the group has organized high-profile events in Albania aimed at rallying opposition to Tehran, including an annual gathering called the Free Iran World Summit, whose paid speakers have included prominent American supporters like Rudolph W. Giuliani, a former New York mayor and a onetime personal lawyer to former President Donald J. Trump.The Iranian dissidents, Mr. Rama said, have “friends on Capitol Hill that lobby for them” but have now been ordered to halt public activities against Iran. M.E.K. canceled the Free Iran event last year. “There is no more of this now,” the prime minister said. “We hope that they will not try again because it is not beneficial to this country and they have to accept that.”
Fatjona Mejdini contributed reporting.
Andrew Higgins is the bureau chief for East and Central Europe based in Warsaw. Previously a correspondent and bureau chief in Moscow for The Times, he was on the team awarded the 2017 Pulitzer Prize in International Reporting, and led a team that won the same prize in 1999 while he was Moscow bureau chief for The Wall Street Journal.