US Sanctions Iranian Spooks for Albania CyberattackMoves Against Iran's Ministry of Intelligence and Chief Spy Send a Message
The U.S. government sanctioned Iran's Ministry of Intelligence and Security and its minister for a July cyberattack that temporarily paralyzed Albania's online service portal for citizens.
The designation by the Department of Treasury prohibits persons under U.S. jurisdiction from transacting with the ministry and its minister, Esmail Khatib. The action will have no material effect given long-standing and robust governmental prohibitions on doing business with Iran. The Treasury Department already sanctioned the ministry for support of terrorism and human rights abuses, but the designation of Khatib is new.
The designation comes shortly after Albania fingered Iran for the attack and cut diplomatic ties with Tehran. On Thursday, national security adviser Jake Sullivan discussed "the United States' strong support for our NATO ally" with Albanian Prime Minister Edi Rama. The administration of U.S. President Joe Biden earlier condemned the attack, mirroring Albania's attribution of the attack to Iran and vowing further action (see: Albania Cuts Diplomatic Ties With Iran After Cyberattack).
Repeating earlier administration assertions, Treasury Undersecretary for Terrorism and Financial Intelligence Brian Nelson said the Iranian attack disregarded peacetime norms for cyberspace.
"We will not tolerate Iran's increasingly aggressive cyber activities targeting the United States or our allies and partners," he said.
The sanctions are a demonstration that the United States is willing to use its sway over the global financial system to dissuade other governments from cyberattacks against allies, said Dave Stetson, a former attorney-adviser in the Office of the Chief Counsel at the Treasury Department's Office of Foreign Assets Control.
Today's sanctions demonstrate "that the U.S. views those cyberattacks against third countries as affecting U.S. national security and foreign policy" and that the White House is prepared to "impose sanctions on the person who perpetuate those attacks," he told Information Security Media Group.
Technically, the Specially Designated Nationals list of sanctioned entities only affects American institutions and individuals, but a new addition is actually a global event.
Transactions between foreign entities can easily involve U.S. financial institutions. The federal government hasn't been shy about going after banks that do business with sanctioned individuals even if there's just a momentary nexus to an American financial institution, said Stetson, now a partner with law firm Steptoe & Johnson. Foreign banks also have reputational and customer selection concerns, he added.
The July 15 incident involved Iranian hackers affiliated with four different threat actor groups who knocked offline multiple government websites, including the site acting as a main interface with Albanian citizenry.
A website claiming responsibility for the attacks set up by an entity calling itself "HomeLand Justice" leaked documents that appear to belong to the Albanian government and residential permits that appear to belong to members of an Iranian opposition group living in Albania (see: Iranian Group Likely Behind Albanian Government Attack).
Microsoft cybersecurity personnel who assisted Tirana in recovering from the incident said they observed attackers operating directly out of Iran, as well as other technical indicators pointing to Tehran. Among them were the attacks' use of tools already linked to Iranian attackers, including wiper code and ransomware signed with the same digital certificate used to sign other Iranian cyber weapons.
Attackers likely first gained access to Albanian networks in May 2021 by exploiting an unpatched SharePoint server containing a remote code execution vulnerability designated as CVE-2019-0604.