Security Experts:

US Slaps Fresh Sanctions on Iran over Albania Cyberattacks

The U.S. Treasury Department on Friday slapped a fresh round of sanctions against entities in Iran for engaging in destructive cyberattacks against critical infrastructure targets in allied NATO countries.

The new sanctions designate Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for engaging in cyber-enabled activities against the United States and its allies, the government said in a statement. 

“Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors,” the Treasury Department said, pointing to the disruptive cyberattacks that hit Albanian public services earlier this year.

“In July 2022, cyber threat actors assessed to be sponsored by the Government of Iran and MOIS disrupted Albanian government computer systems, forcing the government to suspend online public services for its citizens,” the government said, accusing Iran of disregarding norms in state-related cyber activity.

[ READ: Microsoft: Multiple Iranian Groups Conducted Cyberattack on Albanian Gov ]

The department said Tehran failed to adhere to a norm on refraining from damaging critical infrastructure that provides services to the public.

“We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson.

The Treasury Department warned that Iran’s MOIS, under the leadership of Esmail Khatib, directs several networks of cyber threat actors involved in cyber espionage and ransomware attacks in support of Iran’s political goals. 

“In addition to conducting malicious cyber activity that affected Albanian government websites, MOIS cyber actors were also responsible for the leaking of documents purported to be from the Albanian government and personal information associated with Albanian residents,” the U.S. government said. 

“MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC," John Hultquist, VP, Mandiant Intelligence, told SecurityWeek. "They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable PII. Furthermore, they have a history of targeting the MeK, the group at the center of the Albanian incident."

The sanctions come just days after Albania cut diplomatic ties with Iran over the July cyberattacks and NATO and the White House issued statements condemning the ransomware and wiper attacks.

Earlier this week, Hultquist said the Albanian government cutting diplomatic ties with Iran is possibly the strongest public response to a cyber attack we have ever seen. "While we have seen a host of other diplomatic consequences in the past, they have not been as severe or broad as this action," he said.

"The attack on Albania is a reminder that while the most aggressive Iranian cyber activity is generally focused in the Middle East region, it is by no means limited to it," Hultquist added. "Iran will carry out disruptive and destructive cyber attacks as well as complex information operations globally. We are especially wary of these actors as elections approach, given the aggressive posture Iran took in 2020, and we are expecting them and others to continue to harangue our elections moving forward."

Related: Disruptive Cyberattacks on NATO Member Albania Linked to Iran

Related: Albania Hires US Company to Boost Cybersecurity After Data Leak

Related: NATO Condemns Alleged Iranian Cyberattack on Albania

Related: Albania Cuts Diplomatic Ties With Iran Over July Cyberattack

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.