C0038 HomeLand Justice
HomeLand Justice was a disruptive campaign involving the use of ransomware, wiper malware, and sensitive information leaks conducted by Iranian state cyber actors against Albanian government networks in July and September 2022. Initial access for HomeLand Justice was established in May 2021 as threat actors subsequently moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the attacks. Responsibility was claimed by the “HomeLand Justice” front whose messaging indicated targeting of the Mujahedeen-e Khalq (MEK), an Iranian opposition group who maintain a refugee camp in Albania, and were formerly designated a terrorist organization by the US State Department.231 A second wave of attacks was launched in September 2022 using similar tactics after public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.1
| Item | Value |
|---|---|
| ID | C0038 |
| Associated Names | |
| First Seen | May 2021 |
| Last Seen | September 2022 |
| Version | 1.0 |
| Created | 06 August 2024 |
| Last Modified | 31 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | HEXANE probed victim infrastructure in support of HomeLand Justice.3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | During HomeLand Justice, threat actors used custom tooling to acquire tokens using ImpersonateLoggedOnUser/SetThreadToken.3 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.003 | Email Account | During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.1 |
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.002 | Additional Email Delegate Permissions | During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.13 |
| enterprise | T1059.003 | Windows Command Shell | During HomeLand Justice, threat actors used Windows batch files for persistence and execution.13 |
| enterprise | T1486 | Data Encrypted for Impact | During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.213 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.13 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.002 | Remote Email Collection | During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.1 |
| enterprise | T1190 | Exploit Public-Facing Application | For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.3 |
| enterprise | T1562.002 | Disable Windows Event Logging | During HomeLand Justice, threat actors deleted Windows events and application logs.3 |
| enterprise | T1105 | Ingress Tool Transfer | During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.3 |
| enterprise | T1570 | Lateral Tool Transfer | During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.12 |
| enterprise | T1046 | Network Service Discovery | During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.13 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.13 |
| enterprise | T1588.003 | Code Signing Certificates | During HomeLand Justice, threat actors used tools with legitimate code signing certificates. 1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.13 |
| enterprise | T1021.002 | SMB/Windows Admin Shares | During HomeLand Justice, threat actors used SMB for lateral movement.13 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.13 |
| enterprise | T1078 | Valid Accounts | During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.1 |
| enterprise | T1078.001 | Default Accounts | During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.3 |
| enterprise | T1047 | Windows Management Instrumentation | During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.3 |
Software
| ID | Name | Description |
|---|---|---|
| S1149 | CHIMNEYSWEEP | 2 |
References
-
CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. ↩↩↩↩
-
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩