Large cyberattacks on the government systems of Albania have been officially linked to Mandiant, a threat intelligence giant in Iran.
According to Security Week, the Albanian government revealed in mid-July that it had been forced to shut down some public online services due to a cyberattack. Mandiant then investigated the incident, which led to the discovery of a new piece of ransomware.
Researchers at Mandiant came across the ransomware after it had been uploaded from Albania to a public malware repository a few days after the cyberattack was launched. The ransomware has been named Roadsweep.
When Mandiant was unable to confirm that the ransomware was indeed used in the attack, the malware encrypts files on compromised systems and then drops a ransom note suggesting that its target is the Albanian government.
An analysis of the Roadsweep ransomware showed that it shares code with a backdoor named Chimneysweep, and allows its operators to take screenshots, log keystrokes and steal files.
Shortly after the Albanian government announced shutting down systems due to a cyberattack, someone from within the country uploaded to a public malware repository a sample of a wiper malware that Mandiant has named Zeroclear. While Mandiant was unable to confirm that this malware was used in the operation, Zeroclear was previously used by Iran-linked threat actors for disruptive activities in the Middle East.
Based on the information provided, Mandiant believes with ‘moderate confidence’ that Iranian threat actors are involved in the attacks on the Albanian government.
The US House of Representatives recently passed the Energy Cybersecurity University Leadership Act and the RANSOMWARE Act.
Copyright © 2022 RegTech Analyst
Copyright © 2018 RegTech Analyst