HomeLand Justice

HomeLand Justice was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for HomeLand Justice was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the "HomeLand Justice" front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]

ID: C0038
First Seen:  May 2021 [1][2][3]
Last Seen:  September 2002 [3]
Contributors: Aung Kyaw Min Naing, @Nolan
Version: 1.0
Created: 06 August 2024
Last Modified: 21 August 2024

Groups

ID Name Description
G1001 HEXANE

HEXANE probed victim infrastructure in support of HomeLand Justice.[2]

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

During HomeLand Justice, threat actors used custom tooling to acquire tokens using ImpersonateLoggedOnUser/SetThreadToken.[2]

Enterprise T1087 .003 Account Discovery: Email Account

During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.[3]

Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.[2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[3][2]

.003 Command and Scripting Interpreter: Windows Command Shell

During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[3][2]

Enterprise T1486 Data Encrypted for Impact

During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[1][3][2]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[3][2]

Enterprise T1114 .002 Email Collection: Remote Email Collection

During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[3]

Enterprise T1041 Exfiltration Over C2 Channel

During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[3]

Enterprise T1190 Exploit Public-Facing Application

For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[3]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[2]

.002 Impair Defenses: Disable Windows Event Logging

During HomeLand Justice, threat actors deleted Windows events and application logs.[2]

Enterprise T1105 Ingress Tool Transfer

During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[2]

Enterprise T1570 Lateral Tool Transfer

During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.[3]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[3][1]

Enterprise T1046 Network Service Discovery

During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[3][2]

Enterprise T1588 .002 Obtain Capabilities: Tool

During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.[3][2]

.003 Obtain Capabilities: Code Signing Certificates

During HomeLand Justice, threat actors used tools with legitimate code signing certificates. [3]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[3]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[3][2]

.002 Remote Services: SMB/Windows Admin Shares

During HomeLand Justice, threat actors used SMB for lateral movement.[3][2]

Enterprise T1505 .003 Server Software Component: Web Shell

For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.[3][2]

Enterprise T1078 Valid Accounts

During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.[3]

.001 Default Accounts

During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[2]

Enterprise T1047 Windows Management Instrumentation

During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.[2]

Software

References