The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

How Albania reckoned with alleged Iranian hackers

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! The song currently spending days and days in the ol' noggin: “Goodbye,” by the Sundays.

Below: Georgia makes plans to replace some election equipment, and Australia deals with a big telecom hack. But first:

Interview: Albanian prime minister explains why he cut diplomatic ties with Iran after cyberattack

Albania’s landmark decision this month to sever diplomatic ties with Iran over a massive summer cyberattack began with a top-notch investigation, its prime minister told The Cybersecurity 202.

The FBI and a team from Microsoft worked with Albanian experts and experts from elsewhere to pinpoint four separate hacking groups that the Iranian government is known to sponsor, particularly out of its Ministry of Intelligence. One of them, Prime Minister Edi Rama said this weekend in an interview, was “among the top-10 cyberterror groups, [whose] prints have been also detected behind the attacks on Saudi Arabia, Israel and so on.”

The July hackers, he said, were bent on destruction of government services, 95 percent of which Albania has shifted to online availability after long lines previously forced some people to wait months for licenses and certificates.

  • “Based on the investigation, the scale of the attack was such that the aim behind it was to completely destroy our infrastructure back to the full paper age, and at the same time, wipe out all our data,” Rama told me. “Our sense now is first, that they didn't succeed to destroy infrastructure. Services are back. Second, data. Yes, they took some but practically not of any particular relevance.”

A group calling itself HomeLand Justice took credit for the attack, apparently inspired by Albania hosting members of the Iranian dissident group Mujahedeen-e-Khalq, or MEK. Rama did not name the four groups that the investigation deemed responsible.

When Albania ordered the eviction of Iranian diplomats and the complete cessation of diplomatic ties, some hailed it as perhaps the strongest action a nation had ever taken in response to a cyberattack. But some also questioned whether the model would work for other countries, given that some of the biggest players in cyberspace, such as China, would be harder to freeze out.

Albania didn’t have a meaningful relationship with Iran, Rama said, so the severance wasn’t a big loss. Other countries might be able to use the approach Albania did, depending first on the thoroughness of any investigation so as to feel confident in expelling diplomats, and next on the degree of harm the attacks cause.

  • “It's practically bombing the country you know, destroying critical infrastructure,” Rama said of Iran’s attacks. “The bombs are not visible, the wounds are not physical, thank God, but still [it] is an aggression, a bombardment, and it's direct harm to the national sovereignty. … Would you keep the country that bombards you?”

Iran has denied responsibility for the attack and denounced Albania’s response.

U.N. speech

Rama spoke to me Saturday following his speech at the United Nations. There, he criticized Russia’s war in Ukraine and decried a 2011 Council of Europe resolution that cited allegations of Albanian organ harvesting during the 1990s war in Kosovo, claims Rama said amounted to “one of the worst cases of distorted reality” and for which “not a single shred of evidence or proof was found anywhere.”

He also recommended the United Nations should take further action in cyberspace.

“We urge the United Nations, including the Security Council, to focus more seriously and concretely to address cybersecurity by investing in prevention and help all member states build resilience,” Rama said.

NATO and the United States have provided help on just that for Albania, he told me. Albania had been working to build stronger defenses against cyberattacks before July, but he said it takes time and a lot of money. NATO and the United States have been trying to speed that up since the July attack and a follow-up hack from Iran, he said.

  • “We were not really under the pressure of time, which is the case now after this horrible attack that was followed by another one,” Rama said.

The hackers had been inside Albanian networks for 14 months before pulling the trigger on their attacks, according to an alert that the FBI and Cybersecurity and Infrastructure Security Agency published last week.

One element of Albania’s response has faced wider criticism. The Tirana Prosecutor’s Office issued a ban on media outlets publishing some of the hacked materials that the attackers have released publicly. Journalism groups have condemned the ban. Rama said he wasn’t a fan of it, either, but hasn’t commented in the past due to the office’s independence.

  • “I think these are senseless decisions, because in the end, they don’t work, first and foremost,” he said. “The prosecutor’s office has gone strictly by the letter of the law, but in the meantime, in the age of social media, you better not go that way because even if you try to implement it, you don’t succeed.”

(Rama himself has come under scrutiny for his treatment of the media in the past.)


Iran will attack again, Rama predicted, because it’s motivated by hate. 

Under what circumstances would he consider reversing his decision about diplomatic ties?  “A free Iran,” he said.

The keys

Raffensperger plans to replace some Georgia election equipment

Georgia Secretary of State Brad Raffensperger (R) said late last week he plans to replace some election equipment in a south Georgia county, Coffee County, “to allay the fears being stoked by perennial election deniers and conspiracy theorists.”

Nearly every part of the county's voting system was copied by forensics experts working for pro-Trump attorney Sidney Powell, our colleagues Amy Gardner, Emma Brown and Jon Swaine report.

“Some election-security experts have voiced concerns that the copying of the Coffee County software — used statewide in Georgia — risks exposing the entire state to hackers, who could use the copied software as a road map to find and exploit vulnerabilities,” they write. “Raffensperger’s office has said that security protocols would make it virtually impossible for votes to be manipulated without detection.”

Raffensperger said anyone who broke the law in connection with unauthorized access to Coffee County’s machines should be punished, “but the current election officials in Coffee County have to move forward with the 2022 election, and they should be able to do so without this distraction.”

There’s an effort afoot to provide protesting Iranians with internet, app access

As protests rage across Iran over the death of a woman in police custody, the U.S. government and others are taking steps to help citizens work around an internet shutdown.

Beyond internet access cutoff, monitoring groups have reported restricted access to the apps Instagram and WhatsApp, two of the Western apps usually available in Iran.

The Treasury Department is one of the U.S. agencies taking action. Here’s Secretary of State Antony Blinken:

Encrypted messaging app Signal, blocked in Iran, has asked people for help in setting up proxy servers. And Elon Musk is looking to get involved via his Starlink satellite internet firm.

Australian telecom giant Optus hacked

The personal information of customers of the Australian telecom company Optus was stolen in a major hack last week. The company denied that human error was behind the attack, which affected potentially millions of people.

In the past, the company has opposed potential privacy law reforms that would let customers ask for their data to be destroyed, the Guardian notes.

“Optus began contacting customers whose personal information was compromised in the breach via email and SMS on Friday,” Josh Taylor writes. “It said customers as far back as 2017 may be affected because it is required to keep identity verification records for six years.”

Optus CEO Kelly Bayer Rosmarin told reporters, “I know people are hungry for details about the exact specificity of how this attack could occur, but it is the subject of criminal proceedings and so we will not be divulging details about that.”

Prime Minister Anthony Albanese said Australia will change privacy rules as a result of the hack.

Government scan

CISA, NSA guidance tries to reduce alternatives for securing industrial control systems (Nextgov)

Uber hack jolts outlook for MFA, cybersecurity regulations (README)

Industry report

Google sees Russia coordinating with hackers in cyberattacks tied to Ukraine war (The Wall Street Journal)

7-year Android malware campaign targeted Uyghurs: report (The Record)

Cyber insecurity

Watchdog report identifies cybersecurity failings at National Nuclear Security Administration  (FedScoop)

Privacy patch

San Francisco police can now watch private surveillance cameras in real time (The Verge)


The Senate Homeland Security and Governmental Affairs Committee holds a markup of several cybersecurity bills, including the Securing Open Source Software Act of 2022, on Wednesday at 11 a.m.

Secure log off

Thanks for reading. See you tomorrow.