HomeLand Justice
HomeLand Justice was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for HomeLand Justice was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the "HomeLand Justice" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
Groups
| ID | Name | Description |
|---|---|---|
| G1001 | HEXANE |
HEXANE probed victim infrastructure in support of HomeLand Justice.[2] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
During HomeLand Justice, threat actors used custom tooling to acquire tokens using |
| Enterprise | T1087 | .003 | Account Discovery: Email Account |
During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.[3] |
| Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
During HomeLand Justice, threat actors added the |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[3][2] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[3][2] |
||
| Enterprise | T1486 | Data Encrypted for Impact |
During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[1][3][2] |
|
| Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[3][2] |
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[3] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[3] |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[3] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[2] |
| .002 | Impair Defenses: Disable Windows Event Logging |
During HomeLand Justice, threat actors deleted Windows events and application logs.[2] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[2] |
|
| Enterprise | T1570 | Lateral Tool Transfer |
During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.[3] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[3][1] |
| Enterprise | T1046 | Network Service Discovery |
During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[3][2] |
|
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.[3][2] |
| .003 | Obtain Capabilities: Code Signing Certificates |
During HomeLand Justice, threat actors used tools with legitimate code signing certificates. [3] |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[3] |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[3][2] |
| .002 | Remote Services: SMB/Windows Admin Shares |
During HomeLand Justice, threat actors used SMB for lateral movement.[3][2] |
||
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.[3][2] |
| Enterprise | T1078 | Valid Accounts |
During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.[3] |
|
| .001 | Default Accounts |
During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[2] |
||
| Enterprise | T1047 | Windows Management Instrumentation |
During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.[2] |
|
Software
| ID | Name | Description |
|---|---|---|
| S1149 | CHIMNEYSWEEP | |
| S0095 | ftp | |
| S0357 | Impacket | |
| S0002 | Mimikatz | |
| S0364 | RawDisk | |
| S1150 | ROADSWEEP | |
| S1151 | ZeroCleare |
References
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.