Albania reels from Iran’s cyberattacks
TIRANA, Albania — Customers at one of Albania’s biggest banks got a shock shortly before Christmas when a curt text popped up on their cellphones: “Your account has been blocked. The balance of your account is zero. Thank you.”
The messages, which turned out be fake, signaled the opening of a disruptive new front in what Albanian authorities, the United States and NATO have identified as an enormous cyberattack orchestrated by Iran on one of the weakest members of the military alliance.
“It is an attack — an aggression against the sovereignty of one country by another state,” Prime Minister Edi Rama said in an interview in Tirana, the Albanian capital, calling the assaults “absolutely the same as a conventional military aggression, only by other means.”
The onslaught has swept Albania, a Balkan nation with fewer than 3 million people, into a maelstrom of uncertainty and plunged it into big geopolitical battles involving Iran, Israel and the United States.
The reason for the attacks, which began with a stealthy penetration of government servers in 2021 but started causing visible disruption only last year, appears to be Albania’s sheltering of Mujahedeen-e-Khalq, known as MEK, a secretive Iranian dissident group, on its soil.
Also playing a role are the polarized politics of Washington, where prominent Republican hawks on Iran have been strong backers of MEK’s.
Hired by the Albanian government to investigate, Microsoft, in a report on the attack, attributed it with “high confidence” to “actors sponsored by the Iranian government,” identifying MEK as the “primary target.” The campaign against Albania, the report added, was probably “retaliation for cyberattacks Iran perceives were carried out by Israel” and MEK.
A logo stamped on confidential Albanian documents leaked by the attackers features an eagle preying on the symbol of a hacking group known as Predatory Sparrow — which Iran blames for attacks on its own computer networks — inside a Star of David.
Predatory Sparrow has claimed responsibility for a number of sophisticated attacks against Iranian targets, including the state broadcasting company.
Albania, which has a large, mostly secular Muslim population, severed relations with the Islamic Republic of Iran in September, expelling its diplomats in response to what experts say is the most disruptive cyberattack in Europe on a NATO member since 2007, when Russia assailed computer networks in Estonia.
The attack on Albania has not only disrupted the government’s work and sought to undermine trust in financial institutions — a grave threat in a country that tipped into civil war in 1997 after fraudulent investment funds collapsed — but it has also involved the leak of a vast trove of confidential information.
Leaked data includes the names and addresses of more than 1,000 undercover police informants; the email traffic of the head of the intelligence service, a former president and the former chief of police; and the banking information for more than 30,000 people.
The gravity of the sprawling assault has posed a tricky test for NATO, of which Albania is a member and enjoys protection under the alliance’s commitment to collective defense. (NATO says there was no effect on its networks or military operations.) Albania has been a member since 2009, one of 14 formerly Communist countries to join.
Article 5, the cornerstone of the alliance, says “an armed attack” against any of the allies in Europe or North America “shall be considered an attack against them all.”
But cyberattacks, Rama said, are a different form of aggression, and, in terms of doctrine, “events are running ahead of us when it comes to” them. Because of this, he said, Albania has not invoked Article 5. “How does the alliance respond? By attacking the defined country through cyber, by using military means or by what?” he said.