Since July 2022, when the Albanian government notified the public about cyber attacks against its systems, Homeland Justice has presented itself as the cause of these attacks. Since then, it has become the Albanian media’s primary source for details of the data they say they have stolen in the past 14 months. Even if the information they publish is “true”, they are part of the propaganda launched by the government of Iran with the help of the so-called Homeland Justice group.
Homeland Justice’s website and telegram are regularly monitored by local journalists who publish any statement (whether mocking or threatening) and circulate the data received by Homeland Justice on their servers. A search made on several Albanian portals shows that there are dozens and in some cases even hundreds of articles that cite Homeland Justice as the source of their information.
Source : Ora News
Almost every week, portals and news agencies publish data obtained from Homeland Justice presenting it as true, but without providing context.
Source : Dosja
The government itself has opposed this reckless use of information released by Homeland Justice, considering it a risk to national security. In September of this year, the Prosecutor’s Office forbade the media to distribute information obtained by Homeland Justice, a decision that the media and national and international journalism organizations opposed , calling it an attempt to censor the Albanian media.
But who is Homeland Justice and how true are the information and data they say they have got from the attack on various servers of the Albanian state?
Much of the information needed to verify the exact origin and authenticity of their statements is unavailable for reasons of national and international security. However, two reports published in September, the first by Microsoft and the second by the US Cyber Infrastructure Security Agency ( CISA ) in collaboration with the FBI, confirm that most likely the data that Homeland Justice regularly publishes on its website are stolen (and in this sense true). However, this does not mean that they should be used and distributed indiscriminately.
Origins and History of Homeland Justice
Both the Microsoft report and the CISA report confirm that a group of hackers originating from Iran had managed to get into the Albanian government servers by stealing data from them, an attack that paralyzed government services in July and September. According to reports, this attack occurred in several stages, as the group had infiltrated government systems as early as May 2021, where they remained for the next 14 months collecting data, mostly from emails. “Microsoft confirmed with medium confidence that the first ones who gained access and obtained data during the attack are linked to EUROPIUM, a group that is directly linked to Iran’s Ministry of Intelligence and Security (MOIS).”
Source : Microsoft report
According to the same report, in the period October 2021-January 2022, the group continued to collect emails, but did not begin to move towards a crippling attack on the systems until May and June 2022, according to CISA.
“In the period May-June 2022, Iranian cyber agents began to take more direct actions, creating an impression of the Albanian government’s network and stealing credentials to enter these systems. In July 2022, agents released a * ransomware (viruses by which the computer system that enables the company’s operation is blocked until a ransom is paid) to the servers, publishing messages against MEK on desktops. When the network security identified and began to respond to ransomware activity, cyber agents released a * malware (programs that are not authorized by the party running them unknowingly. In most cases these programs have malicious intent.) destructive program called ZeroCleare,” according to the report.
Source : CISA report
This malware was responsible for paralyzing the Albanian government’s servers, and similar actions paralyzed the TIMS system in September, after the Albanian government severed diplomatic relations with Iran.
But the attack on the cyber infrastructure of the Albanian state was not the only action of this group that calls itself Homeland Justice. Different sources from the United States have stated in the first investigations that this attack is directed at Albania as a result of the latter’s decision to give shelter to the Muahedin e-Khalq group, also known as the MEK, which Iran considered terrorist and dangerous. According to the Microsoft report, the message and targets indicate that Tehran most likely used these attacks in response to cyberattacks that Iran believes were carried out by Israel and the MEK .
It was no coincidence that the first attack on the Albanian state in the middle of July 2022 happened just a few days before MEK representatives were preparing for a meeting in Albania. The meeting was canceled following the recommendations of the US which considered it high risk for a terrorist attack by Iran.
Considering the purpose of this attack, which can be seen both as a message against the MEK and a warning to the Albanian government, it was necessary for the government of Iran and the attacking group to be able to build a narrative according to their interests. And this narrative was made possible precisely by the presence of the website Homeland Justice, as well as the various online accounts of this group on Twitter and Telegram.
“In June 2022, HomeLand Justice created a website and several social media profiles where they posted anti-MEK messages. On July 23, 2022, Homeland Justice posted videos of cyber attacks on their website. From late July to mid-August 2022, social media accounts associated with Homeland Justice began advertising that they had information obtained from the Albanian government to share. They distributed polls asking readers to choose what information they wanted Homeland Justice to publish, and then published that information,” the CISA and FBI report states.
Source : CISA report
Even Microsoft’s report considers it an important fact that Homeland Justice wanted to control the narrative of its own attacks. Two important points from this report confirm CISA’s investigations:
“Before and after Homeland Justice launched its messaging campaign, social media accounts and a group of Iranian and Albanian nationals known for their pro-Iranian and anti-MEK views promoted the general points of the campaign launched by Homeland and reinforced the information published by Homeland Justice’s online accounts. The parallel promotion of the Homeland Justice campaign and its central themes by these entities in the online space – before and after the cyberattack – suggests a broad-based information operation intended to amplify the impact of the attack.”
Source : Microsoft
Both reports published at the request of the Albanian government (Microsoft) and the United States (CISA) show that the Homeland Justice website was created precisely to ensure the distribution of information against the MEK and to blackmail the Albanian government. Even if the information they publish is “true”, they are part of the propaganda launched by the government of Iran with the help of the so-called Homeland Justice group. Therefore, the media coverage of their mocking and threatening messages and the materials they publish almost every week requires special care as to how it can be used to aid the campaign launched by the government of Iran.
Edited by: Viola Keta & Aimona Vogli