The tone is firm, the accusation clear and the decision unprecedented: on Wednesday 7 September, Albanian Prime Minister Edi Rama announced, in particular in a video posted on the Internet, the end of diplomatic relations between his country and Iran. Diplomats and employees of the Iranian embassy in Tirana have 24 hours to pack their bags and return to Tehran.
The reason for this sudden and cold anger? The major computer attack that hit the small Balkan country in the middle of summer. In mid-July, the authorities had to disconnect government computer systems to ward off a ransomware attack, a program that makes data inaccessible and demands a ransom from the victim. The attack, the Prime Minister protested in his message, was aimed “to destroy the digital infrastructure of the Government of the Republic of Albania, to paralyze public services, to hack data and communications from government systems”.
Typically, ransomware is used by the digital underworld for extortion purposes. However, “The July 15 attack was not an individual act or a concerted action by an independent cybercriminal group, but an aggression by a State”made a point of specifying Mr. Rama. “A thorough investigation has allowed us to uncover irrefutable evidence that this attack on our country was orchestrated and supported by the Islamic Republic of Iran”continued the Prime Minister.
This accusation is not entirely surprising. One of the ransomware used in the attack and analyzed by Mandiantclose to the American authorities, carried a message that left little doubt about the motivation and the sponsor of the attackers. “Why should our taxes be used for the benefit of the terrorists in Durres? »wrote the virus on infected computers.
Concomitance with a meeting of opponents in Tehran
The mention by the pirates of this city located about thirty kilometers west of the Albanian capital, Tirana, owes nothing to chance: it was nearby that a meeting of the People’s Mojahedin Organization of Iran (PMOI). This Islamo-Marxist movement, a hated opponent of the Tehran regime, regularly earns Albania attacks from Iran. Since 2013, a significant number of its members have indeed found refuge in the country, at the request of the United States and the UN. The meeting of the organization, scheduled for the end of July, had finally been canceled for nebulous security reasons, the authorities fearing attacks. The cyberattack was not then cited as one of the reasons for this cancellation.
The concomitance of the attack with the large gathering of the PMOI and certain technical elements had led, since the summer, many observers to point the finger at Tehran. At the beginning of the month of August, the company Mandiant noted, for example, that the same pirates that had attacked Albania had targeted, in the past, targets close to the opposition to the regime in place in Tehran, which allowed it to deduce that this group was probably of Iranian origin. Incidentally, the PMOI has in the past been targeted by Iranian hackers through attacks and disinformation operations.
More broadly, Tehran does not hesitate to resort to violence in its fight against the PMOI. Justice Belgian thus confirmed this year the conviction of three Belgian-Iranians for having fomented an attack, ultimately foiled, targeting a meeting of the National Council of Iranian Resistance organized in Villepinte, in the suburbs of Paris, in 2018. An organization of which the PMOI forms the main part of the troops.
In recent years, Albania has already expelled two Iranian diplomats serving in the country, accusing them of threatening the “national security”. But the severance of diplomatic relations appears to be an additional step in the tensions between the two countries.
Attack condemned by the White House
Especially since the United States immediately supported Albania. Washington plays a leading role in this affair: American experts went there as soon as the attack broke out to help the Albanian government limit the offensive and investigate those responsible.
The White House supported the Albanian denunciation through a press releasecondemning “firmly” this computer attack ” unprecedented “ against a country “NATO ally” which flouts, according to her, the “standards of responsible behavior in cyberspace”in this case by attacking “critical infrastructure providing public services”.
“Malicious activity carried out by a state that willfully damages infrastructure (…) can have cascading national, regional and global consequences and can lead to escalation and conflict”continues the press release. “The United States will act to hold Iran accountable for actions that threaten the security of an ally”even warns the White House.
If the American reaction is classic, judge Aude Géry, doctor in public international law and specialist in cyberspace, now asks the question of whether the European Union (EU) will join its voice to that of the Americans, given “of the EU’s ongoing rapprochement with Albania and its neighbours, including on cyber issues”.
Several groups of hackers known to be close to the Iranian authorities have been carrying out a relentless guerrilla war for months against Israeli targets. Rarer are the examples of attacks targeting member countries of NATO and close to Europe such as Albania. According to Mandiant, the July attack thus constitutes “a particularly daring operation” and could suggest that the Iranian cyber apparatus is less cautious when it comes to attacking countries “perceived as working against Iranian interests”.