HomeLand Justice
HomeLand Justice was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for HomeLand Justice was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the "HomeLand Justice" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
Groups
| ID | Name | Description |
|---|---|---|
| G1001 | HEXANE |
HEXANE probed victim infrastructure in support of HomeLand Justice.[2] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.[2] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[3][1] |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[3] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[3][2] |
| .003 | 命令与脚本解释器: Windows Command Shell |
During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[3][2] |
||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[2] |
| .002 | 妨碍防御: Disable Windows Event Logging |
During HomeLand Justice, threat actors deleted Windows events and application logs.[2] |
||
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[3] |
| Enterprise | T1486 | 数据加密以实现影响 |
During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[1][3][2] |
|
| Enterprise | T1078 | 有效账户 |
During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.[3] |
|
| .001 | Default Accounts |
During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[2] |
||
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.[3][2] |
| Enterprise | T1570 | 横向工具传输 |
During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.[3] |
|
| Enterprise | T1114 | .002 | 电子邮件收集: Remote Email Collection |
During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[3] |
| Enterprise | T1561 | .002 | 磁盘擦除: Disk Structure Wipe |
During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[3][2] |
| Enterprise | T1046 | 网络服务发现 |
During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[3][2] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.[3][2] |
| .003 | 获取能力: Code Signing Certificates |
During HomeLand Justice, threat actors used tools with legitimate code signing certificates. [3] |
||
| Enterprise | T1134 | .001 | 访问令牌操控: Token Impersonation/Theft |
During HomeLand Justice, threat actors used custom tooling to acquire tokens using |
| Enterprise | T1087 | .003 | 账号发现: Email Account |
During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.[3] |
| Enterprise | T1098 | .002 | 账号操控: Additional Email Delegate Permissions |
During HomeLand Justice, threat actors added the |
| Enterprise | T1105 | 输入工具传输 |
During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[2] |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[3][2] |
| .002 | 远程服务: SMB/Windows Admin Shares |
During HomeLand Justice, threat actors used SMB for lateral movement.[3][2] |
||
| Enterprise | T1041 | 通过C2信道渗出 |
During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[3] |
|
Software
| ID | Name | Description |
|---|---|---|
| S1149 | CHIMNEYSWEEP | |
| S0095 | ftp | |
| S0357 | Impacket | |
| S0002 | Mimikatz | |
| S0364 | RawDisk | |
| S1150 | ROADSWEEP | |
| S1151 | ZeroCleare |
References
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.