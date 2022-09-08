Comment on this story Comment Gift Article Share

Iran’s cyberattack on Albania triggers an unprecedented response

NATO member Albania cut off diplomatic relations with Iran on Wednesday over a cyberattack that destroyed government data and shut down services.

It’s the first known time a nation has taken such an aggressive step in response to a cyberattack, and it generated support from several other nations, including the United States.

“The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” said National Security Council spokesperson Adrienne Watson.

The U.K. and Victor Zhora, deputy head of Ukraine’s main cybersecurity agency, also tweeted that they stood with Albania.

State-sponsored cyber terrorism extends to new countries. This time member state of NATO. Stay strong Albania. https://t.co/7UWQmWbs6s — Victor Zhora (@VZhora) September 7, 2022

But it's hard to imagine other countries doing anything similar in response to future cyberattacks.

“How often do countries cut off diplomatic relations at all, for any reason?” Jon Bateman, a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace and a former Pentagon cybersecurity official, told me.

The United States didn’t end formal diplomatic relations with Russia even after its 2016 election interference, and other countries didn’t end relations with the United States after whistleblower Edward Snowden revealed U.S. surveillance operations targeting them.

“I don’t think anyone ever contemplated any of those things, nor would contemplate such a thing, if anything similar were to happen in the future,” Bateman said.

The attack

The cyberattack that stirred Albania’s ire transpired in July. A group calling itself “HomeLand Justice” claimed credit for the ransomware in a video it posted on a website and a Telegram channel, accompanied by alleged Albanian residence permits for purported members of the Iranian dissident group Mujahedeen-e-Khalq, also known as MEK.

In response to the cyberattack, Albania said it had to “temporarily close access to online public services and other government websites.” Watson said Wednesday that the attack also destroyed government data.

A few days later, MEK members canceled a summit in Albania, citing terrorist threats and the advice of the Albanian government.

Cybersecurity firm Mandiant said a “likely Iranian threat actor” was behind the cyberattack in an Aug. 4 blog post. The White House backed up that assessment on Wednesday.

“We have concluded that the government of Iran conducted this reckless and irresponsible cyberattack and that it is responsible for subsequent hack and leak operations,” Watson said.

The answer

Albanian Prime Minister Edi Rama said in a video message that in response to the “state aggression.” Rama said it “threatened to paralyze public services, delete systems, and steal state data, steal electronic communications within the government system and fuel insecurity and chaos in the country.”

That forced Albania to take “extreme measures,” he continued.

“The government has decided, with immediate effect, to end diplomatic relations with the Islamic Republic of Iran,” Rama said. It also expelled Iranian Embassy staff.

The reaction

Iran condemned the “baseless claims” of Albania and decried the cutting of diplomatic ties as ill-considered and shortsighted.

But many cybersecurity experts were impressed.

“This is possibly the strongest public response to a cyberattack we have ever seen,” John Hultquist, vice president of Mandiant Intelligence, said in a written statement. “While we have seen a host of other diplomatic consequences in the past, they have not been as severe or broad as this action.”

Dmitri Alperovitch, executive chairman of the Silverado Policy Accelerator, went further, and said the terror threats also probably played a role in Albania’s decision.

For sure the strongest official response to a cyberattack ever. Go Albania! https://t.co/2vA6izZwqK — Dmitri Alperovitch (@DAlperovitch) September 7, 2022

Here’s Dan Black, principal cyber threat analyst at NATO:

A remarkable statement and response from Albania on the cyber attacks impacting the country from mid-July.



According to Prime Minister Edi Rama, Albania has severed diplomatic relations with Iran over the incident, with 24 hours notice. https://t.co/mIlIRvd9Dq — Dan Black (@DanWBlack) September 7, 2022

Under NATO’s “collective defense” principle, an armed attack against one member is considered an attack on all of them, making Albania’s accusations noteworthy to security researcher Kevin Beaumont:

Albania is a NATO member, so effectively Albania are accusing Iran of a cyberattack via ransomware on a NATO member's government systems. pic.twitter.com/M5wljkbgDz — Kevin Beaumont (@GossiTheDog) September 7, 2022

“Albania’s action reminds us that there is no hard-and-fast rule that cyber operations must be tolerated on the international stage,” Bateman said.

On the other hand, trade between Iran and Albania is minimal.

“That does help put into context how significant this action is,” Bateman said. “It maybe explains why we don’t see lots of other countries doing this.”

As for the United States, it already doesn’t have formal diplomatic relations with two top cyber adversaries in Iran and North Korea, and it did expel some Russian diplomats in response to the 2016 election interference and hacking of federal agencies. But U.S. officials have sought to keep its embassy open in Moscow despite past cyberattacks and the war in Ukraine, and it’s hard to imagine the United States cutting off relations with major trade partner China over cyberattacks.

European Union is set to propose new cybersecurity rules for smart devices

The draft legislation, which will be unveiled next week, would fine companies as much as $15 million or 2.5 percent of the previous year’s turnover — whichever is higher — if they don’t get certificates saying they’re meeting basic cybersecurity requirements, the Financial Times’s Javier Espinoza reports. The European Commission would also get the power to recall or ban products that don’t comply with the rules.

“Under the proposed rules, which are expected to become law by 2024, internet of things (IOT) makers need to inform authorities and consumers about attacks and must be able to put in place quick fixes,” Espinoza writes. “Legislators said in the draft proposals that ‘smart’ products suffered from ‘a low level of cybersecurity’ and ‘an insufficient understanding and access to information by users, preventing them from choosing products with proper cybersecurity features.’ ”

CISA will begin asking for feedback on critical infrastructure incident reporting rules

The Cybersecurity and Infrastructure Security Agency (CISA) will hold 11 “listening” meetings with critical infrastructure operators around the country as it prepares to produce rules requiring critical organizations to report hacks to the federal government within 72 hours, the Wall Street Journal’s James Rundle reports. The agency will also release a request for information in the next few days, CISA Director Jen Easterly said Wednesday.

“What my goal is, as the director of the agency leading this process, is to ensure maximum transparency — to make sure it’s a consultative process, and ensure harmonization,” she said. The rules are expected to be formally released by 2024.

Former Uber security chief’s lawyers say the company unfairly blamed him

Lawyers for former Uber chief security officer Joe Sullivan said at the first day of a trial that the ride-share giant scapegoated him because it was trying to clean up its reputation, the New York Times’s Cade Metz reports. Sullivan, a former federal prosecutor, is accused of obstruction of justice and concealing a felony by not disclosing a 2016 security breach to the Federal Trade Commission.

“You won’t hear a single witness take that stand and say that Joe Sullivan told them to lie to the FTC or destroy documents or hide what had happened from Uber’s senior management or the Uber legal team,” Sullivan’s attorney David Angeli said.

Prosecutor Andrew Dawson, on the other hand, said that it’s a “case about a coverup, about payoffs and about lies.” Evidence in the case “will show that Mr. Sullivan paid for the hackers’ silence” because the FTC was investigating Uber, he said. He said Sullivan lied to Uber chief executive Dara Khosrowshahi by implying that hackers didn’t download Uber data.

Uber declined to comment to the New York Times.

