U.S. Conducts First Defensive Cyber Operation in Albania Following Major Attack

Cybersecurity experts from the U.S. Cyber National Mission Force (CNMF) recently conducted their first-ever defensive cyber operation in Albania in collaboration with the National Agency for Information Society (AKSHI) to identify, monitor, and analyze adversary tactics, techniques, and procedures. This operation came after Albania was targeted by Iranian cyber actors in July and September of 2022. U.S. operators worked closely with Albanian cyber partners over the course of three months to identify vulnerabilities and hunt for malicious cyber activity.

Hunt Forward Operations enable countries to better understand shared threats and enhance the security of critical networks. These defensive missions are conducted collaboratively with partner nations, including elite military and federal civilian cyber operators from CYBERCOM.

During the operation, U.S. operators sit side-by-side with host nation counterparts, hunting only on those networks the partner has identified and provided access to.

You might want to read:

Through the Hunt Forward Operations, U.S. cyber operators provided technical findings to the Government of Albania, enabling the partner to take steps toward bolstering their network defense.

In addition to strengthening U.S. cybersecurity, Hunt Forward Operations also develop and build strategic relationships with key allies and partners, enhancing their cybersecurity posture and making it more difficult for foreign adversaries to operate on networks globally.

Hunt Forward Operations enable cybersecurity experts to observe and mitigate threats that are undetected on a network or system.

While the U.S. team does not mitigate threats on partner networks, they enable their counterparts to pursue and address the threats found. By sharing information, the cybersecurity posture of partners and allies is improved, protecting networks and critical infrastructure against shared threats.

The Hunt Forward Operations have proven to be a successful cybersecurity defense activity, with CNMF deploying 44 times to 22 countries and conducting hunt operations on nearly 70 networks around the world since 2018.

Also read:

Through these operations, the partnerships built have enabled better cyber defense, strengthening the ability to defend nations against shared threats. As Major General William J. Hartman, commander of Cyber National Mission Force, stated, “these relationships are key to protecting our networks and critical infrastructure against shared threats.”


The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory to inform the public about recent cyber operations that targeted the Government of Albania in July and September 2022.

The advisory provides a detailed timeline of the observed activities, including the initial access to the network and the execution of encryption and wiper attacks.


In July 2022, Iranian state cyber actors who identified themselves as “HomeLand Justice” carried out a destructive cyber attack against the Government of Albania.

The attack rendered several websites and services unavailable, and the FBI investigation indicates that Iranian state cyber actors had acquired initial access to the victim’s network about 14 months before the attack.

The cyber attack included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for about a year, periodically accessing and exfiltrating e-mail content.

Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks.

In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.

In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure.

On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information—either in a .zip file or a video of a screen recording with documents.

In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar tactics, techniques, and procedures (TTPs) and malware as the cyber attacks in July.

Destructive cyber attack against Government of AlbaniaJuly 2022Iranian state cyber actors (“HomeLand Justice”)Ransomware-style file encryptor, disk wiping malware
Lateral movements, network reconnaissance, and credential harvestingMay – June 2022Iranian state cyber actorsLateral movements, network reconnaissance, credential harvesting
Ransomware attack on Government of AlbaniaJuly 2022Iranian state cyber actors (“HomeLand Justice”)Ransomware, ZeroCleare destructive malware
Anti-MEK propaganda on social mediaJune – July 2022HomeLand JusticeCreating a website and multiple social media profiles
Release of Albanian government informationLate July – Mid August 2022HomeLand JusticeAdvertising government information, posting polls, releasing information
Another wave of cyber attacksSeptember 2022Iranian cyber actorsSimilar tactics, techniques, and procedures (TTPs) and malware as the attacks in July
Iranian cyber attacks on Albania

These attacks were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran. The FBI and CISA urge organizations to review the technical details provided in the Cybersecurity Advisory, assess their networks for any indicators of compromise (IoCs), and follow best practices to mitigate the risk of cyber threats.

Share This Message