When the street housing the Russian Embassy in the Albanian capital, Tirana, was renamed “Free Ukraine,” the Russians decided to move. They methodically dismantled the cameras outside the building, removing communications antennas, and lowered the flag.
The Iranians, however, did not have the luxury of time. After the Islamic Republic was held responsible for cyberattacks on the Albanian government, in a televised address on Sept. 7, 2022, Prime Minister Edi Rama gave Tehran’s diplomats just 24 hours to leave the country.
As night fell, witnesses saw staff burning documents in a metal barrel on the Iranian Embassy grounds as part of a swift, crude, and desperate evacuation before armed Albanian Police special operations forces entered with dogs normally used to find explosives.
It was unprecedented severing of diplomatic ties over alleged cyberattacks, even if Iran had a clear motivation. Investigators believe that Albania was targeted in retaliation for its sheltering of thousands of members of Mujahedin-e-Khalq (MEK), a once violent cult-like Iranian opposition group residing in a fortified camp in Manëz, Albania, after being evacuated from Iraq in 2016.
The still-intact surveillance equipment left near the Iranian Embassy’s gate are a monument to the fact that hostile eyes are still on Albania, and that Albania, a NATO member, remains under attack by malign foreign actors seeking to damage one of the most vulnerable members of the military alliance.
“It is still a dirty cyberwar going on,” Rama told Foreign Policy in his office in Tirana in January, its walls covered with the artist prime minister’s futuristic doodles. “It is the nature of the cyberwar to have all the time to have this kind of back and forth,” he said over the chirps of the exotic birds he keeps outside his door.
Albania is suffering in the face of continuing cyberattacks, digitally devastating the country’s critical computerized public and private infrastructure. Hackers gained continuous access to Albanian government servers in 2021, according to the U.S. Federal Bureau of Investigation (FBI), harvesting data, before using ransomware and launching a destructive “wiper” attack destroying public data using disk wiping malware in July 2022.
They also shut down government websites using messaged ransomware, disrupting public services, which was catastrophic for Albanian public services that had been digitized to circumvent slow and corrupt bureaucratic public processes. As the vast majority of government services had been brought online, all aspects of the lives of Albanian citizens, from births to marriages to deaths, were thrown into disarray.
Hackers, too, gathered, deleted, and circulated classified information including the identities of hundreds of undercover Albanian intelligence officers, published the emails of the director of intelligence, and continue to leak sensitive information through a website and Telegram channels, hampering the government’s ability to govern. The information included more than 17 years’ worth of data tracking everyone who entered and exited the country from the government’s Total Information Management System (TIMS), as well as from private institutions such as bank customer financial records. “It was very, very severe,” Rama said regarding the impact of the attacks.
Rama is fully aware that Albania’s decision to allow the MEK, the Iranian regime’s largest external organized opposition faction, to create a base from which they have been able to establish themselves as a prospective government in exile was a controversial one. The group has carried out political activities, holding annual summits (the July cyberattack took place before a planned MEK conference) and hosting foreign dignitaries, including Mike Pompeo and Mike Pence. Still, Rama defends the move.
“They were massacred by raids of Iranian secret service [in Iraq] and then our American friends asked us if we could open our door,” the prime minister said. “We honored our tradition of sheltering people. It is a long tradition in Albania. It is what made Albania the only country in Europe to have more Jews after the Second World War than before,” he said, with the enduring charm that led him to win three democratic elections, despite numerous scandals.
Aggression is a signature of Iranian cyber operations, according to cyber experts. The Chinese are interested in espionage, the Russians, influence, and Iranian aggression. And the attacks on Albanian internet infrastructure are perhaps the most aggressive on a state in peacetime in history.
“With the exception of the attacks on the Ukrainian government, post-invasion, which obviously are happening in the context of shitloads of bombs getting dropped on Ukraine…this one is notable because it is an attack directly on a government,” said Benjamin Read of Mandiant, which was brought in to investigate the attacks. “So that is really the distinguishing feature here a full-frontal attack on a government that you are not at war with,” he said.
For some, the size, scope, and sophistication and aggressive nature of the Albanian attacks, plus the ransomware operations from cybercriminal groups operating from Russian territory, mean that Iran was not acting alone. “I think It is a collaboration between Russian and Iran,” said Gentian Progni, a digital entrepreneur and self-described “whistleblower” based in Tirana, “because the range of the attacks were too big.”
Progni, who learned how to code as a child while housebound during a family blood feud that he cannot elaborate on for fear of reigniting it, points out that the leaked information from the hacks was disseminated from a Russian website, justicehomeland.ru, which Russian authorities have yet to take down, and through Telegram channels also used to spread pro-Russian propaganda.
He also notes that during the same time period Albania was attacked, other attacks were carried out throughout southeastern Europe against Montenegro, Bulgaria, Kosovo, and North Macedonia during the same period by Russian-speaking groups.
The most recent high-profile attacks were carried out against Air Albania, the country’s national airline carrier, by the LockBit group, a notorious cybercriminal gang operating from Russian territory, with Russian-speaking members. It does not attack entities or states within the Russian-dominated Commonwealth of Independent States, according to Tim Mitchell, an expert on LockBit at SecureWorks, a U.S. cybersecurity company.
Last November, A 33-year-old Russian and Canadian national was charged with participating in the LockBit global ransomware campaign and is awaiting extradition to the United States. LockBit also made headlines last month for an attack on Royal Mail, Britain’s primary postal and parcel firm, forcing it to shut down all international mail and parcel deliveries.
North Macedonia’s attack was linked to the BlackByte group, which avoids attacking Russia-based entities. Progni shared with Foreign Policy a screenshot showing numerous Russian IP addresses used for the Kosovo attacks. “So basically, Russia and Iran attacked Albania,” he said.
“Listen, I know that it is very politically correct to blame Russia for everything nowadays, but I think they have enough blame on them,” Rama said. “In this case, no there is no Russian participation, because the [FBI] investigation did not show any.”
Yet both Rama and the FBI have come under fire in Albania following a recent scandal in which the Albanian government is accused of bribing a former FBI official to push for FBI investigations into areas that damaged the Albanian opposition.
“Domestic law enforcement agencies in Albania…have viewed the FBI in this case as institutionally weak, politically exploitable, and even suspected of involvement in corrupt affairs and influence, trafficking for the benefit of powerful individuals in third countries,” said Zef Preci, director of the Center for Economic Research, a nongovernmental organization in Albania.
The FBI declined to comment for this article.
Even if the number of attackers involved in targeting Albania remains unclear, the Russian and Iranian partnership is undeniably close in the battlespace of Ukraine, where Tehran has fast become Moscow’s major military backer in the war, most notably with its supply of lethal kamikaze drones that have devastated Ukrainian infrastructure. In a December briefing, White House National Security Council coordinator John Kirby said, “Russia is offering Iran an unprecedented level of military and technical support that is transforming their relationship into a full-fledged defense partnership.”
The digital attacks in Albania may also signify a greater partnership in the cybersphere. “Here in Ukraine, on the frontline, we are under almost daily attack from the Russians using Iranian Shahid drones. It is just one example of burgeoning cooperation between Tehran and Moscow,” journalist David Patrikarakos, the author of Nuclear Iran, told Foreign Policy from Bakhmut. “We can expect information spaces to become increasingly polluted as the two cooperate more in the digital sphere.”
Five months before the hackers gained access to Albanian systems, Iran and Russia publicly declared that they had formally signed a cybersecurity deal in January 2021. “Although Iran and Russia are known to have cooperated on cyber activities even before 2021, this agreement signals a deeper level of cooperation between the two countries at all administrative levels in the areas of cybersecurity, technological transfer, and joint training,” according to Miad Nakhavali, an Iran researcher and analyst at the Belgrade Centre for Security Policy.
While Russia may not have provided the tools used by Iran to attack Albania, it certainly could have provided the training. And the modus operandi of the attacks has a Russian flavor. “With regards to the use of wipers [the erasing of data] it does bear similarities to what the Russians did in Ukraine,” said Omree Wechsler a senior researcher at the Yuval Ne’eman Workshop for Science, Security, and Technology at Tel Aviv University.
“There is an ongoing partnership between Russia and Iran in cyberspace, which is mostly based on a shared anti-U.S. sentiment and mainly revolves around shared cyber intelligence, training, capacity building and technology transfers. Not much else is known about what tools, techniques or intelligence were shared,” Wechsler said.
Targeting Albania makes sense for Moscow and Tehran. After all, Tirana is perhaps the United States’ closest partner in the Western Balkans since reestablishing relations after 45 years of communist isolation, which saw Albania as the “North Korea of Europe,” according to Rama.
Albania has not only hosted the Iranian dissidents of the MEK, but also hundreds of U.S.-affiliated political refugees from Afghanistan following the chaotic collapse of the U.S.-supported government there. It was also confirmed last year that Washington would be setting up a special operations forces base in the country.
Cyberoperations against the U.S. government and its allies reveal a strategic partnership of sanctioned states and their proxies working together to damage Western interests globally. Last May, Iranian-backed militias in Iraq claimed responsibility for denial of service (DDoS) attacks that took down Ukrainian government websites on two occasions. One was said to be a revenge for the killing of Daria Dugina in Russia. The second was more was directed against the website of the Ukrainian Ministry of Infrastructure and took place in October.
The exact nature of Russia and Iran’s cyber partnership is unknown. “The Russians are better than the Iranians,” said a cybersecurity expert and independent researcher who goes by the name Grugq. The Iranian Ministry of Intelligence and Security(MOIS) “would very much be the junior partner that would benefit a lot from Russia working with them and not the other way round.”
It is a view echoed by Hamed Mohammadi, an Iranian dissident journalist at Kayhan London, who formerly served in the Iranian Army. “The mullahs listen to Russia’s orders. Of course, they pretend to be independent, but Russia’s influence in the decision-making structure of the Iranian regime is very high, especially in relation to security and military issues.”
Yet, as the Albania attacks show, Iran should not be underestimated, according to Wechsler of Tel Aviv University. “They are not that sophisticated, but they are playing in the court of the big actors,” he said.
Tehran also had a highly suspect diplomatic corps in Tirana. Considering how few economic, cultural, and political ties there are between the two countries, other diplomats in Tirana, as well as the Albanian authorities, often asked what exactly they were doing there. They were not seen at other diplomatic functions, according to one Western diplomat who spoke on the condition of anonymity, and service staff at cafes and restaurants near the Embassy said the Iranians would not even drink coffee outside.
In 2018, Albania expelled the two most senior Iranian diplomats in Tirana, citing national security concerns. Ambassador Gholamhossein Mohammadnia and diplomat Mostafa Roodaki, believed to be the MOIS station chief, were declared persona non grata. Albanian authorities also detained, interrogated and deported other Iranians for espionage in 2020 and, last year, sentenced Iranian citizen Bijan Pooladrag on charges related to terrorism.
Russian nationals, too, have found themselves accused of espionage. Twice in the past two years, alleged Russian agents were arrested near military bases, one of which is being transformed into a new NATO airbase. They are being held in Albanian custody.
“We are weaker,” said Fatos Klosi, former head of Albania’s secret service. “It is much easier to attack us and they did it. It is easy to do it. And they did it.” Albania’s vulnerability came from a fast push to digitize government services. “Now we have 95 percent of public services online,” Rama said. “This was our strength in terms of modernization, but it also became our vulnerability because we were exposed.”
Albania’s exposure is ongoing and has been catastrophic for its internal functioning and external information sharing with partner nations. A diplomatic source, speaking on the condition of anonymity, said that “partner countries’ operational collaboration with the government of Albania has been directly impacted by the cyberattacks,” presumably because allies worry communications are not secure.
Espionage has changed since Klosi’s time as head of the secret service. When he started, Albania was just getting online and most interactions were done in person “It was a gentleman’s sport for a long time, since the ’90s, since the fall of the Berlin Wall,” he said. “We would say to the adversary, to the counterpart, we have an idea that this guy is yours, and if it was true, usually the other service would remove the guy.”
Asked whether we will ever know with 100 percent certainty who exactly is attacking Albania, the former spy chief said no. “Everything is hypothetical in this field. There is no guarantee to say who did it. Who did not do it. We are in uncertain waters,” Klosi said. “I know that the truth is one thing and what appears on the surface is another. What comes to the surface of the water is either propaganda or interests.” (Foreign Policy)