Albania severed its diplomatic relations with the Islamic Republic of Iran after an investigation, which, according to the government, proved that the cyber attack of July this year was orchestrated by Tehran. Security experts warn that the decision increases the risk of other cybercrimes in Albania, as the wave of such attacks has also included other countries in the Balkan region and beyond.

Esmeralda Topi

The Council of Ministers has decided, with immediate effect, to sever diplomatic relations with the Islamic Republic of Iran.” Prime Minister Edi Rama announced on September 7 through a video message on social networks. He argued that the decision to sever diplomatic relations with Iran comes after an in-depth investigation into the July 15 cyber-attack in Albania that proved the aggression was orchestrated and sponsored by the Islamic Republic of Iran.

Photo of Prime Minister Edi Rama in the video message of September 7, 2022

Respecting the 24-hour deadline set by the Albanian government, the 72 representatives of the state of Iran left Albania on the morning of September 8th. Meanwhile, the government in Iran, through the Minister of Foreign Affairs, Nasser Ka’nani, considered the accusations baseless, emphasizing the role of third parties (the USA and Israel) in Albania’s decision-making.

Embassy of Iran in Tirana, September 8, 2022

In 30 years of democracy, this is the first case that Albania decides to break relations with another country. The United States of America , the European Union , the United Kingdom as well as NATO condemned Iran’s attack and expressed support for Albania.

After this drastic decision, experts fear the risks that may follow when it comes to security.

“Personally, I think that this decision was the right decision, but in my opinion, since we have repeated cyber attacks, this should make our government take cyber security more seriously in the country, and this is the case that Albania together with the Republic of Kosovo to make a joint investment in this field. It is great luck that we have an excellent alliance with our strategic ally, the USA and not just them, which enables assistance, protection and monitoring in record time,” says for Faktoje Dr. Dritan Demiraj who served for 35 years in the Armed Forces of Albania, as well as headed the Ministry of Internal Affairs.

While security expert Fabian Zhilla says that the termination of diplomatic relations with Iran was hasty, because the decision was not accompanied by other preliminary steps.

“I say that the government’s decision is hasty, because no protective measures have been taken. Until now, we do not have a plan of measures made public.” – emphasizes Zhilla for Faktoje, adding that the termination of relations with Iran exposes us to other cyber attacks as well as subversive operations from this country.

“Our government should ask  MEK not to use the Albanian space for their internal political issues. Public officials, as well as those working in important financial institutions, should also be instructed about the risks of cyber attacks. Today, Albania is in a war situation with Iran and must be seriously prepared for it.” – concludes his comment Zhilla.

Just three days after cutting off relations with Iran, the same aggressors attacked the TIMS system, which the government said was back up and running on the morning of September 11th.

Prime Minister Edi Rama’s tweet on September 11, 2022

Faktoje addressed a request for information to the State Information Service and the Ministry of Defense asking if there is a plan of measures in such a situation.

Colonel Dritan Demiraj estimates that Albania, together with its partners, is able to cope successfully in the event of an escalation of the situation.

“I think there is a serious commitment of all the security agencies in our country together with the law enforcement agencies, the armed forces but not only, which are mobilized to the maximum to implement their constitutional mission. In case of escalation of the situation, our country has cooperation in record time with other Western countries, which at any moment can make it possible to take measures and successfully face these threats.”

For IT expert Edmond Liçaj, the cyber war that Iran has launched against Albania will be difficult for our country.

“Albania’s capacities to face such an enemy in the political, economic, cyber or any other aspect do not favor us. In my opinion, the decision was not voluntary, but requested by our partners, since we cannot come out so openly against a state and accuse it, because we do not have the capacity to defend ourselves properly,” Liçaj emphasizes for Faktoje, adding that another level of defense and tactics is required both in relation to Cyber Security and in terms of national security.

Even the journalist Lavdërim Lita, very well versed in security issues, says that under these conditions, the government should invest in the field of Cyber Security.

“First, strengthening the capacity with human resources and infrastructure of the Anti-Cyber Unit in the Armed Forces, investing in uniformed IT engineers. Second: Akshi (National Information Society Agency) should operate at the cabinet level in the government and not as an Agency under the Prime Minister’s Office. That is, an information ministry equipped with a legal framework and special infrastructure. Thirdly, due to the increase in cyber crimes, unit C in the State Police should be turned into an anti-cyber police agency, according to western models,” says Lita.

Since 2013, relations between Albania and Iran have been tense due to the decision of the Albanian government to shelter as refugees several thousand mujahedin, part of the opposition organization, MEK , with the mediation of the United States of America. Albania’s decision to sever diplomatic relations follows a series of decisions to expel civilians and diplomats from Iran in recent years.

In 2018, Iran’s ambassador in Tirana, Gholamhossein Mohammadnia , and another diplomat were declared “non grata” because, according to intelligence services, they were involved in some activities that undermined national security.

In the same year, two Iranians tried to organize an attack on the premises of the Bektashian seat during the Sultan Nowruz holiday that failed, and the perpetrators were arrested in 2019 as part of a terrorist cell.

On January 15, 2020, the Albanian authorities announced that they had ordered the expulsion from Albania of two Iranian diplomats, whom they had announced nongrata.  At that time, the Ministry for Europe and Foreign Affairs stated that Mohammad Ali Arz Peimanemati and Seyed Ahmad Hosseini Alast, had conducted “activities inconsistent with their status and the principles of the Vienna Convention on Diplomatic Relations and have been requested to leave immediately from the territory of the Republic of Albania”.

Meanwhile, on July 23, 2020, Albania expelled Dabiel Kassrae, an Iranian of Italian citizenship who was banned from staying in our country for a period of 15 years. Likewise, on October 18, 2020, Albania declared “non grata” for a period of 15 years, the Iranian, Ehsan Bidi, as he was suspected of being part of the Iranian agencies against the mujahedin community known as the MEK.

Montenegro under cyber attack for an entire month

On the 20th of August Montenegro government’s network came under strong cyber attack which is, as the country’s authorities say, still ongoing.

The whole country went into, what can be called panic mode, because nobody knew what the next target could be or who was behind these attacks.

Citizens were warned that attack is happening and the state officials came out with somewhat different stories.

Prime minister Dritan Abazović Abazovic said that this was a political attack, while National security agency said this was the work of Russian inteligence and that they fear that worse is yet to come and that water suply and electrotransmission could be next under attack.

Soon after, Minister of public administration, Maraš Dukaj, stated that cyber group – Cuba ransomware performed the attack.

“Ransomware” usually means that someone is going to ask money for the data to be given back, but no such request has been reported by now. On the other hand, the government’s decision is not to negotiate with hackers. Minister Dukaj says that all the data is safe, because there are copies. Still, minister of interior, Raško Konjević, says that some data is lost forever.

News about cyber attack in Montenegro soon reached far and wide. Since Montenegro is a western ally and NATO member, the Alliance soon offered to help. Same goes for the FBI, whose experts came to the country to assist Montenegro’s authorities.

Balkan investigative reporting network (BIRN) has reported that the attack was an “inside job”, claiming that malicious software was uploaded from one of the government’s computers.

The country is still under attack, but other than online government’s services not working, no major breach has been reported.

Still, experts in Montenegro fear that cyber attacks could damage other big state companies, such as electric power industry, or water supply. Chairman of the board of state electrical industry, Milutin Đukanović, said that all the power plants have been switched to manual.

There are no estimates on how much these cyber attacks cost the country, but the experts say that they were carefully planned and that the virus could cost anywhere from 100 thousand up to 2.5 million dollars.

For now, all we know is that some of government’s websites are working again, others are still down and  the consequences of the attack are still to be seen.

Kosovo, the target of cyber attacks

Kosovo, like other countries in the region, has become a target of cyberattacks. Since last week, in certain periods of time, government systems have been faced with a “DdoS” type cyberattack that has caused occasional obstacles in the Internet service within government institutions and occasional lack of access to some government services. The website of the Prime Minister’s Office, some ministries, that of the Kosovo Police, the e-Kosova Platform and some media have been targeted by cyberattacks.

According to the announcement by the Prime Minister’s Office, during the periods of the attack, the cyber security team from the Information Society Agency (ASHI) was maximally committed to minimize the impact of the attack on the accessibility and functionality of the services.

According to them, in cooperation with external experts and the application of adequate measures, the cyberattack was overcome and attempts to continue the attack were prevented.

After a few hours of disruption, all government services were returned to normal, as the government has declared that at no time have the data stored in the State Data Center within the Institutions of the Republic of Kosovo been compromised.

One of the main telephone companies – Kosova Telekom – also faced cyberattacks. This company has said that the IP addresses from which the attacks came have been identified, but they have not indicated the source.

The technical director at Kosova Telecom, Halil Krasniqi, stated that the attack was carried out by 30,000 unidentified computers with different IP addresses.

The attack that hit the telecom is also known as DDoS, through which fake packets are created in the network, from many computers. According to Telekom executives, the only risk was the load on the network, denying that there was an attempt to access the Telekom system, where the data of customers who receive services from this company would be at risk.

Following the mass attack, the institutions are analyzing the situation to identify where they came from. On Tuesday, the Prime Minister of Kosovo, Albin Kurti, paid an urgent visit to Tirana, where he met with the Prime Minister of Albania, Edi Rama. Among other things, they talked about the latest cyberattacks.

According to a Microsoft analysis, cyberattacks against the Government of Albania are politically motivated and behind them are actors who are connected to the Government of Iran. After the attack, Albania severed diplomatic relations with Iran, giving 24 hours to the diplomatic staff of the Embassy of this country to leave Tirana.

In order to increase the level of security, the government of Kosovo on Tuesday approved the Draft Law on Cyber Security, through which the Agency for Cyber Security is established. The draft law defines the principles of cyber security, the institutions that develop and implement the cyber security policy, as well as the responsibilities of the authorities in this field.

Whereas, cyber security experts have asked the government to urgently block all IPs from countries such as: Iran, Russia, China and North Korea.

Two Web Sites Attacked in N. Macedonia – One by Mysterious, the Other One by Well-Known Hackers 

In August 2022 the iKnow electronic support system at the St. Cyril and Methodius University (UKIM) in Skopje, North Macedonia, stopped working, and the stated reason was a hacker’s attack. This was confirmed by the IT and Computer Engineering Faculty (FINKI), tasked with the maintenance of the university’s computer systems. Couple of days after this attack, the web site of the Education and Science Ministry (MON) also stopped working.

UKIM students complained about not being able to log in to the iKnow – the university’s electronic support system and enroll the exams for the upcoming exam season.

FINKI stated that the university computer system is a victim of “Distributed Denial of Service” (DDOS) attack, type of cyber-crime that creates an overflow of fake traffic stopping the users from logging in and using the connected services and web sites.

Previously, the Facebook profile of the same university was also target of an attack. At first, there was a three hour long live video of somebody playing the League of Legends computer game. This video was then removed, but the perpetrator continued uploading somewhat funny and weird video clips. The UKIM profile on this social network does not exist anymore.

On 18. August 2022 the web site of the Education and Science Ministry (MON) was also under a hacker’s attack. For couple of hours the following message was visible on the web site’s home page: HACKED BY GREEK HACKING TEAM NETWATCHERS.

The attack caused all the pages of the web site to be inaccessible, while all the links led to a YouTube video titled Famous Macedonia. The Ministry has never explained the reasons for such a state of their web site.

Greek hackers used to attack web sites of N. Macedonia’s institutions before the signing of the so called Prespa Agreement, when the countries had a disagreement regarding the use of the name Macedonia. But, after this issue was solved, it is unusual to see such an attack once again, if the attacker is actually a Greek hacking collective and not one merely posing as originating from there.

*This content is produced as part of the regional initiative Western Balkans Anti-Disinformation Hub