GitHub Repo

Analytics Story: CISA AA22-264A

Updated Date: 2026-05-13 ID: bc7056a5-c3b0-4b83-93ce-5f31739305c8 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Iranian State Actors Conduct Cyber Operations Against the Government of Albania.

Why it matters

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Suspicious Child Process Spawned From WebServer Web Shell Anomaly
Attacker Tools On Endpoint OS Credential Dumping, Match Legitimate Resource Name or Location, Active Scanning TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Exchange PowerShell Module Usage PowerShell TTP
Web or Application Server Spawning a Shell External Remote Services, Exploit Public-Facing Application TTP
Windows System File on Disk Exploitation for Privilege Escalation Hunting
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Excessive Usage Of Taskkill Disable or Modify Tools Anomaly
Windows Possible Credential Dumping LSASS Memory TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows Event Log Cleared Clear Windows Event Logs TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 1102 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 104 Windows icon Windows XmlWinEventLog XmlWinEventLog:System

References

Source: GitHub | Version: 2