The attacks of the last few days on the statistical data infrastructure of Albanians, INSTAT, are an alarm siren for the effectiveness of the measures taken after the cyber attack on the online portal of government services. Investigations into the attacks that brought ANA to its knees have been suspended, while only the end employees who did not update their anti-viruses are being held responsible.
The growth of new structures in cyber defense and the salaries of their employees has not been accompanied by appropriate cooperation and transparency.
By Anila Hoxha
The Christmas celebration caught the stores of the telecommunications company ‘One Albania’, one of the two national mobile operators, closed nationwide. However, if many thought it was just a day off, a few hours later, the Company would acknowledge falling prey to a massive cyber attack.
In a post on their Telegram profile a few days later, the notorious hacking group ‘Homeland Justice’ pledged to sell the compromised data from One Albania’s servers, amounting to 259 terabytes, for the value of 1 Bitcoin or approximately 40 thousand Euros. While the content has not yet been disclosed, in addition to personal data, telecommunications companies are mandated by Albanian legislation to retain call data made by their customers for a 2-year period, considering it as critical infrastructure.
On that day, ‘Homeland Justice’ group logo was displayed on the main banner of the Albanian Parliament official website, demonstrating the infiltration into the server of one of the most crucial institutions of the country. Several new attacks were announced by some second-tier banks in the country, but as of now, they have not been successful in causing any damage.
Before even two years have passed since the attacks that crippled Albanian state systems, Iranian hackers have struck again at sensitive infrastructure, prompting doubts about the effectiveness of the measures taken despite assurances from local authorities and foreign partners called in for assistance.
The opposition accuses Prime Minister Rama
Investigations are suspended due to lack of evidence
The recent cyber attacks on key Albanian institutions have already publicly exposed the personal data of Albanian citizens. Identity cards, salaries, phone numbers, or even car license plates are accessible information for anyone who requests them.
The opposition singled out the government as the perpetrator of these attacks. Opposition leaders Sali Berisha and Ilir Meta stated that this is a coordinated attack orchestrated by Edi Rama. On the other hand, the media labeled it as an attack originating from Russia in collaboration with Serbia, a version that in these reports is also associated with Russia’s aggression towards Ukraine.
On September 7, 2022, the Albanian government declared the cessation of diplomatic relations with Iran, accusing it of orchestrating the attacks in retaliation for hosting Iranian opposition figures on Albanian territory. This was accompanied by the deportation of a young Iranian with Italian citizenship from Albania.
The opposition’s accusations against Prime Minister Edi Rama have persisted into 2024. Opposition leader Sali Berisha, who is also under arrest, has alleged that Prime Minister Rama has disclosed classified information and sold it to enemies of Albania, as well as of NATO. Berisha is referring to the sale of secret TIMS data.
However, as the accusations continue, the case is under investigation by Tirana Prosecutor’s Office for four charges related to ‘unlawful interception of computer data,’ ‘interference with computer data,’ ‘interference with computer systems,’ and ‘misuse of devices,’ suspected to be orchestrated by the Iranian Revolutionary Guard and the Ministry of Intelligence of that country.
The press office at the capital’s Prosecutor’s Office confirms, in response to ‘Faktoje’s’ request, that investigations have been suspended, as an official accusation against organizers of the attack paralyzing the government online services could not be drafted. The suspension of investigations occurred as the investigative team awaits responses to the diplomatic letters sent to several countries. The file on the organized attacks in several episodes with number No.5430 has yielded only one outcome with a fraction one, concluding a segment of the investigation involving five suspected Albanian employees for abuse of duty, but unrelated to the authors of the attacks..
‘On July 15, 2022, state-sponsored Iranian cyber actors, identified as ‘Homeland Justice,’ launched a devastating cyber attack against the government of Albania, rendering websites and services inaccessible. A confidential investigation by the Partner Investigation Agency indicates that Iranian state-sponsored cyber actors gained initial access to the victim’s network approximately 14 months before initiating the devastating cyber attack, involving a ransomware-style file encoder and malware for disk wiping. The actors retained ongoing access to the network for about a year, periodically accessing and exploiting the contents of the email.
This is how Tirana Prosecutor’s Office justifies the cyber attacks against unified online government services, along with a subsequent cyber aggression in September 2022. During this attack, ‘Homeland Justice’ posted data and documents from the State Police on Telegram, which were hacked and copied from the Ministry of Interior.
For over a year, the prosecutor handling the case that encompasses all the attacks until September 2022, Bledar Valikaj, has ‘suspended’ the criminal investigation until several states respond to diplomatic letters. The administered letters reveal that after a judge disclosed the data from the computer systems and stopped further publication of the hacked documentation from AKSHI and the Ministry of Interior systems, Albania sought legal assistance from the United Kingdom, the Russian Federation, and the People’s Republic of China to prove the connections of the attackers and the dissemination of the hacked data. The responses have not been made available yet. Nevertheless, the Prosecutor in charge, Valikaj, informs ‘Faktoje’ that investigations are ongoing. “We have clarified the mechanism of the incident and the source of the attack, which, as publicly known, has Iranian origin. We cannot file criminal charges against a state because accountability is individual. We are awaiting responses to diplomatic letters, which, based on jurisdictional relations with external entities, will provide us with information to identify the individuals or the group of persons involved. Furthermore, the General Jurisdiction Prosecutor’s Office in Tirana has a court decision for the seizure and closure of this profile, from which the data obtained through hacking have been published. Given that ‘Homeland Justice’ is a domain on the Telegram network, we have also issued an enforcement order for this court decision to the Russian Federation.
The other countries to which diplomatic letters have been sent include the United Kingdom, Hong Kong, Singapore, etc. There are various states, and the identified IPs are dynamic. The responses may not be complete, but to reach a conclusion, we will cross-reference the data,” assured the Prosecutor.
Investigations in two Prosecutors’ Offices
As a national security expert, Arjan Dyrmishi emphasizes that despite the inevitability of cyber attacks, systems must be capable of preventing them. Security is compromised in three aspects: 1) the acquisition of sensitive data of citizens, administrative employees, and security institutions, 2) the acquisition of official information and documents, including classified ones, 3) the disruption of the normal functioning of the administration for a certain period, including the Police and Defense. As for the failure, it consists of the lack of preparation of the cyber governance system and cyber defense to prevent or minimize the consequences. This defense has been nonexistent for as long as the attackers penetrated the system, remaining in it for months, monitoring the system, harvesting data, and when they found it opportune, they launched an attack, denying legitimate users access to systems, including TIMS‘.
Before the cyber warfare erupted in the summer of 2022, with hackers having entered the systems a year earlier, another one since 2017 was being led by law enforcement agencies that had increased vigilance for espionage activities from Iran. The latter reached its peak in 2018 with the expulsion of the Iranian ambassador to Tirana, Golam Mohamadnia, and his intelligence chief.
Meanwhile, the accidental denunciation by a fellow citizen who reported a roommate for phone use led to the arrest of Bijan Salaman Pooladrag, a 47-year-old former member of Ashraf Camp, suspected of being recruited by the Revolutionary Guard for espionage. SPAK judicial process raised suspicions that Pooladrag was part of plans for an attack against Albania, and for this reason, after two years, in 2022, he was declared guilty of terrorist organization and committing acts with designated individuals. In fact, other individuals suspected as collaborators of Pooladrag are part of another secret investigation at SPAK, including members of the ‘ASILA’ cultural association, also under investigation, as one of the groups involved in cyber attacks.
Institutional failure, the blame solely on low-level employees
In two reports from the contracted company ‘Microsoft’ and from the American partners of the FBI, it is disclosed that Albanian institutions assigned to address cyber attacks failed in their mission. It is reported that on May 21, 2021, Iranian hackers exploited an ‘open door’ on the government website ‘www.administrata.al,’ assuming the role of a local administrator. Using compromised credentials, they exfiltrated approximately 2.7 GB of official emails from ministries and other public institutions in January 2022. The operation was carried out by four Iranian groups led by the OILRIG group (alternatively known as Europium), who also sought, with the ‘ZeroCleare’ program, to erase all government systems and databases. Reports confirm that during July 15-16, 2022, only ten percent of government systems were wiped out, fortunately restored through backup and recovery.
The only culprits for the compromise of Albanian cyber defense still remain today, only five low-level employees of AKSHI who did not update the antivirus software. Employees Albi Gjeka, Alketa Sulo, Altin Sallaku, Igli Lubonja, and Rudina Llagami are the only individuals charged with abuse of duty (Article 248 of the Penal Code). According to the Prosecutor’s Office, the decision to press charges against them is based on the findings of AKSHI, also known as the National Information Society Agency. The agency highlighted that if these employees had adhered to the information security regulations (dated 17.1.2022) by actively seeking information and updating it with the latest antivirus software, the virus that initially infected ‘administrata.al,’ implemented with SharePoint 2016 and left un-updated to the latest version, would have been detected in their systems.
In addition to their responsibilities, the investigation authorities do not clarify in the request for judgment whether their duties were abused by their superiors or not. In a document published on AKSHI’s website pertaining to 2020 and investigated by Faktoje, titled ‘Regulations of AKSHI,’ the hierarchy and responsibilities are outlined. In Article 6, it is stated that ‘for monitoring the implementation of tasks by the respective directorates, the General Director of AKSHI periodically requests written reports from their directors every week’.
The Prosecutors Office argues in its investigation another factor that has ‘orphaned’ the blame and reveals the problematic functioning of AKSHI. ‘This system, acquired through IPA funds (Pre-Accession Funds in the European Union), has not been implemented, managed, or monitored by AKSHI but has only been physically hosted near the Government Datacenter’. Therefore, as a foreign donation, the information system following ‘administrata.al,’ which paved the way for hackers to access government emails, has not received ongoing financial support and long-term maintenance responsibility.
Measures taken after the attacks of 2022
In response to the cyber attacks, the Albanian government announced the implementation of a series of measures to strengthen its cybersecurity architecture, establishing a Cyber Security Operations Center and expanding the list of critical information infrastructures and important informative infrastructures from 140 to 289 entities. This classification now covers sectors such as government institutions, energy, and healthcare, the financial/banking sector, transportation, telecommunications, water supply, etc. A national cybersecurity operations center was established within the National Authority for Electronic Certification and Cybersecurity (AKCESK), which now holds the responsibilities of the National Coordinator for Cybersecurity.
The National Agency for Information Society (AKSHI) also retains responsibility for cybersecurity incidents and crises within government communication systems. Albania has entered into cybersecurity agreements with Israel, Saudi Arabia, and the United Arab Emirates, countries that have been previously targeted and have gained experience in defending against Iranian hacker attacks.
‘However, as highlighted in the European Commission’s 2023 report on Albania, ‘Authorities must further strengthen cybersecurity capacities, including activities and training to raise awareness, as well as collaboration with the private sector and civil society’.
Nevertheless, the effectiveness of these new structures relies on their calibration and seamless collaboration to counteract emerging threats.
On June 16, 2023, AKSHI adopted regulations for email usage, assigning the Information and Communication Technology (ICT) unit the responsibility of installing and updating antivirus and antispyware programs. This serves as a correction to the previously identified issues with antivirus updates and the lacking responsibility of staff that will now be required to monitor the established systems.
Additionally, aiming to recruit and retain professionals in a highly competitive sector such as IT, the government increased salaries and other benefits for the employees of the agency. In the salary table provided to ‘Faktoje’ by AKSHI, it is observed that in addition to the salary based on categories, employees, including directors of departments, are also compensated for the level of job difficulty. At the end of 2023, the gross salary for a department director reached approximately 249,237.48 ALL (around 2400 euro), including around 160,000 ALL (around 1540 euro) as additional compensation for job difficulty. A salary which stands at the upper level of public administration in Albania.
Another known institution, the National Authority for Electronic Certification and Cybersecurity (AKCESK), responsible for cybersecurity measures and serving as the central contact point at the national level, was seemingly the main beneficiary of the shift in focus following the cyberattacks of 2022.
In response to the request for information, AKCESK acknowledges that ‘to enhance cybersecurity in the country and protect critical structures, based on the order no. 32, dated March 16, 2023, of the Prime Minister, the new structure of AKCESK has been approved. Through this, the structure of the National Cybersecurity Center (SOK) has been established. It results that the number of employees has tripled from 24 to 85 employees.
In the context of this new structure of AKCESK and the necessary recruitments, it is evident that new salaries were approved for this institution. The General Director, for instance, receives a gross salary of 967,908 ALL (around 9320 euro), while the Deputy General Director has a salary of 436,550 ALL (around 4203 euro). The salaries of specialists responsible for monitoring and responding to incidents vary from 196,440 to 274,080 ALL (around 1891 -2639 euro).
‘Faktoje’ inquired about the recruitment procedures with AKCESK, claiming that the salary increases were related to them. However, the response received was that AKCESK conducts these procedures through public announcements. Based on the investigation, it appears that in some instances, the recruitment criteria are not aligned with the required expertise in the field of cybersecurity, such as the case of the deputy general director, who simultaneously holds a position as one of the directors of the directorates. According to the law, in the absence of the General Director, the authorization for decision-making falls to the Deputy General Director. High salaries through this preferential recruitment process risk becoming an issue for filling the structure of this important institution with the necessary professionals.
But is cybersecurity benefiting more products from these highly-paid employees? Based on information from this Security Operations Center (SOC) at AKCESK, consisting of 30 employees, it is responsible for monitoring only 6 critical infrastructures in the country and lacks proactive measures to prevent and manage real-time cyberattacks and incidents. This is because AKCESK lacks technical access to critical public and private information systems in sectors such as energy, communication and transportation, etc. This technical expertise is reportedly maintained by another operational center, the Government Operational Security Center within AKSHI, which is essential for safeguarding against potential attacks on government systems.
The lack of competence for interventions is also acknowledged by AKCESK, which, in its official response, refers to the functional law. This law stipulates the ‘approval of security and control measures for their implementation and, under no circumstances, grants the authority to carry out preventive, responsive, and management actions for incidents’.
It also appears that more than a year and a half after the cyber attacks, AKCESK has not yet completed the reporting on cyber incidents. In response to Faktoje’s information request, AKCESK officially stated that ‘these reports contain information related to the affected critical systems, vulnerabilities exploited by attackers, attack techniques and tactics, and other sensitive data, the publication of which poses a threat to the security of critical and important information structures and to the national security of the Republic of Albania. Furthermore, AKCESK adds that ‘due to the highly sensitive information contained in the reports on the analysis of cyber incidents, these reports cannot be made public’.
However, one of the AKCESK employees, under the condition of anonymity, stated that the report should be made public by analyzing the weaknesses of the systems, as highlighted by AKSHI and Microsoft. Moreover, there is a need for proper awareness and increased collaboration among both public and private entities, as identified as a weak point in the annual report of the European Commission. ‘It is an obligation to inform the public following the example of the American CISA, ENISA, EU, etc., about the nature of incidents, their impact on citizens, the measures taken, and malicious actors. This can be done by anonymizing sensitive data”– explained another employee to ‘Faktoje’.
The recent cyber attacks by Iranian hackers on the Parliament’s website and the “One Albania” company serve as an alarm signal that there is still much work to be done to ensure an impenetrable cyber defense.
