A recent series of cyber attacks against various Albanian entities has been linked to the use of a destructive malware known as No-Justice. This information comes from ClearSky, a cybersecurity firm, which has identified the malware as a tool that effectively renders the operating system inoperable.
Attributed to an Iranian group named Homeland Justice, active since July 2022, these cyber attacks seem to be specifically targeting Albanian targets. The group, known for its psychological warfare tactics, has been particularly focused on Albania following a period of inactivity.
The resurgence of this group was noticed on December 24, 2023, with a campaign dubbed #DestroyDurresMilitaryCamp, targeting the city of Durrës, known for housing the People’s Mojahedin Organization of Iran (MEK), a dissident group.
Key Albanian targets in this wave of attacks include ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament. The attackers have employed a combination of an executable wiper and a PowerShell script, the latter designed to spread the wiper across the network and enable Windows Remote Management (WinRM).
The No-Justice wiper, identified as NACL.exe, is a 220.34 KB binary requiring administrative rights to delete data on computers. It does this by tampering with the Master Boot Record (MBR), crucial for the operating system’s boot process.
The attackers also utilized legitimate tools like Plink (PuTTY Link), RevSocks, and the Windows 2000 resource kit for reconnaissance, lateral movements, and maintaining remote access.
This attack pattern is part of a broader trend involving pro-Iranian cyber groups like Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team. These groups have been increasingly active against targets in Israel and the U.S., reflecting the ongoing geopolitical tensions in the Middle East.
Check Point, a cybersecurity firm, last month reported on these groups’ retaliatory narrative in their cyber operations. They often target U.S. entities using Israeli technology, aiming to strike at both nations simultaneously.
Cyber Toufan has been particularly active, engaging in numerous hack-and-leak operations against over 100 organizations. Their actions have led to significant data losses and operational disruptions, with some entities still struggling to recover.
The Israel National Cyber Directorate (INCD) is monitoring around 15 hacker groups with ties to Iran, Hamas, and Hezbollah. These groups have been actively engaged in Israeli cyberspace, especially since the Israel-Hamas conflict in October 2023. Their tactics bear similarities to those observed in the Ukraine-Russia conflict, utilizing psychological warfare and wiper malware.
