The Balkan state of Albania is severing diplomatic ties with Iran over an alleged cyberattack that investigators traced back to the Islamic Republic.
Prime minister Edi Rama’s administration ordered all Iranian diplomats and staff from the capital Tirana within 24 hours, citing a 15 July attack on the digital infrastructure of Albania, a Nato member.
In a speech, Mr Rama said that a weeks-long investigation of the attack led to Tehran.
“Without a shadow of doubt, the July 15 attack on Albania was not an individual operation or a concerted action by independent criminal groups, but a state-sponsored aggression,” he said, adding that investigators uncovered “indisputable evidence” that Iran had “orchestrated and sponsored” the attack through four groups.
Iran has yet to respond to the allegations.
Though Russia and China have repeatedly seen relations with other countries strained in part because of alleged nefarious internet operations, the breach between Tirana and Tehran may mark the first time that a country has taken such as drastic step over a cyberattack.
“This is one of the most robust responses that we’ve seen to a cyberattack in many years,” said Toby Lews, global head of threat analysis at Darktrace, a security firm. “It’s the first time I’ve seen this level of escalation.”
Mr Rama acknowledged that Albania’s response was “extreme” but described it as “fully proportionate to the gravity and risk of the cyberattack that threatened to paralyse public services, erase digital systems and hack into state records, steal government intranet electronic communication and stir chaos and insecurity in the country.”
Even as most first suspected Russia, the cybersecurity firm Mandiant alleged in a 4 August report that Iran was the likely culprit behind the 15 July attack, citing the types of hacking tools used and their appearance during previous operations.
In a statement, the US said it had a role in the investigation and condemned the attack, vowing to “take further action to hold Iran accountable” for threatening the security of a Nato ally.
“Iran’s conduct disregards norms of responsible peacetime state behaviour in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said White House National Security Council spokesperson Adrienne Watson.
Both Iran and the US’s partner Israel have been accused of launching cyberattacks against each others’ civilian infrastructure, hitting ports, water facilities, and dating websites.
Iran’s ambassador and three other diplomats have been expelled in recent years over allegations of disruptive behaviour and espionage.
Tehran has had tense relations with Tirana since Albania agreed to shelter 3,000 members of a formerly armed Iraq-based opposition group under a deal arranged by the US in 2014.
The group, known as the Mujahedin-e-Khalq or MEK, has used mysteriously procured funds to set up a vast compound west of Tirana, where it operates an online propaganda operation targeting the Iranian regime as well as independent scholars and journalists.
The group, which has recruited senior western politicians as champions, was due to hold a conference in Albania on 23 July, a week before the cyber attack. The event was abruptly canceled on 22 July by organisers citing a fear of terrorist attacks.
Since the US and Israel launched the Stuxnet virus attack on Iran’s nuclear programme in 2010, Tehran has stepped up its own cyberwarfare activities in an escalating cycle of tit-for-tat operations.
Mr Rama described the 15 July attack as a failure that caused minimal damage to Albania. He claimed that one of the groups allegedly used by Tehran to attack Albania had been involved in previous operations against Israel, Saudi Arabia, the United Arab Emirates, Jordan, Kuwait and Cyprus.
Iran allegedly used third parties to launch the attacks, but Mr Rama’s forceful response suggests intelligence services had a hand in tracing those groups to Tehran.
“If you look at attacks by Iran in their past you start to see a much greater use of contractors and private sector organisation,” said Mr Lewis. “That final connection that links these organisations to the Iranian regime is the tricky bit. That’s a harder leap to make it and tends to come from the intelligence community.”
Mr Rama said Albania’s Nato allies had been informed of the investigation.
Albania has struggled to shore up its cyber defences.
In 2018, The Independent reported that the country was inadvertently posting sensitive information about its own intelligence service officers online.
In December, Mr Rama publicly apologised after the government accidentally leaked the private information of hundreds of thousands of citizens.