On July 15, 2022, threat actors working on behalf of the government of Iran launched a destructive attack targeting the Albanian government’s websites and public services, taking them offline. The attack had less than 10% total impact on the customer environment.

The campaign consisted of four different stages, with different actors responsible for every one of them: DEV-0861 performed initial compromise and data exfiltration, DEV-0166 stole data, DEV-0133 probed the victim’s infrastructure, and DEV-0842 deployed ransomware and wiper malware.

According to Microsoft, the threat actors engaged in gaining initial access and exfiltrating data are likely associated with EUROPIUM, a threat actor publicly linked to Iran’s Ministry of Intelligence and Security (MOIS).