The recent series of cyber attacks targeting Albanian organizations has been linked to a destructive malware named No-Justice, according to cybersecurity firm ClearSky. This Windows-based malware is designed to incapacitate the operating system in a way that prevents it from being rebooted. The attacks have been attributed to an Iranian psychological operation group known as Homeland Justice, which has been active since July 2022 and has been specifically targeting Albania.
After a period of hiatus, the adversary re-emerged on December 24, 2023, declaring its intention to “destroy supporters of terrorists” in a campaign labeled #DestroyDurresMilitaryCamp. The city of Durrës in Albania, which hosts the dissident group People’s Mojahedin Organization of Iran (MEK), was a focal point of the attack. Notable targets included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.
The primary tools utilized during the cyber campaign were an executable wiper called No-Justice (NACL.exe) and a PowerShell script. The wiper, a 220.34 KB binary, requires administrator privileges to erase data by removing the boot signature from the Master Boot Record (MBR), effectively rendering the operating system inaccessible.
Additionally, legitimate tools such as Plink (PuTTY Link), RevSocks, and the Windows 2000 resource kit were employed to facilitate activities like reconnaissance, lateral movement, and persistent remote access during the attack.
The rise of pro-Iranian threat actors like Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team has been observed, with a focus on Israel and the U.S. amid ongoing geopolitical tensions in the Middle East. These groups, adopting a narrative of retaliation, target U.S. entities using Israeli technology, attempting to achieve a dual retaliation strategy against both Israel and the U.S.
Cyber Toufan, in particular, has been implicated in numerous hack-and-leak operations targeting over 100 organizations. These operations involve wiping infected hosts and releasing stolen data on their Telegram channel, causing significant damage to the targeted entities. The Israel National Cyber Directorate (INCD) reported tracking approximately 15 hacker groups associated with Iran, Hamas, and Hezbollah, operating maliciously in Israeli cyberspace since the Israel-Hamas war in October 2023. The tactics employed by these groups, including psychological warfare and wiper malware, bear similarities to those used in the Ukraine-Russia war, with the aim of destroying sensitive information.