The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI they said on Wednesday that hackers linked to Iran's military spent 14 months inside the Albanian government's networks before launching a ransomware attack that caused widespread damage in July.
The FBI did not specify which Iranian hacking group was behind the incident, but explained that during their investigation, they discovered that the hackers were exploiting a loophole security in Microsoft SharePoint distributed on the Internet via CVE-2019-0604.
The services cyber securitys sorted it CVE-2019-0604 as one of the errors that caused her infringement during 2020. The same bug is used by government hackers, but also by ransomware gangs.
According to the warning, the hackers were able to maintain continuous access to the network for more than a year, frequently stealing emails throughout 2021. By May 2022, the hackers began moving laterally and probing the network, carrying out wider credential theft from Albanian government networks.
The FBI confirmed reports from Reuters and other researchers that the attacks έγιναν λόγω της εμπλοκής της Αλβανίαs with the Mujahideen-e Khalq, known as the MEK.
Albania allowed some 3.000 members of the group to settle near Durrës, the country's main port.
The agencies said that in July 2022, hackers "pushed a ransomware onto networks, leaving an anti-Mujahideen E-Khalq (MEK) message on their desktops."