Cyber Incident Victim: Albanian Intelligence Agency
Date:
Jan 2018
Location:
Albania
Summary
Hackers suspected of acting in Turkey's interests conducted cyberattacks targeting European and Middle Eastern governments and organizations through DNS hijacking techniques, redirecting victims to fraudulent websites to harvest credentials. The campaign compromised entities including Cypriot and Greek government email systems, Iraq's national security advisor, and Albanian state intelligence, resulting in stolen login credentials from non-classified infrastructure. Western security officials attributed the state-backed espionage operation to Turkish geopolitical motives based on victim profiles, infrastructure similarities to previous attacks, and intelligence assessments. The ongoing attacks exploited vulnerabilities in internet routing infrastructure, impacting diplomatic services and security agencies across multiple countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between early 2018 and early 2019, a series of cyberattacks targeting European and Middle Eastern governments and organizations employed DNS hijacking techniques to redirect victims to imposter websites, enabling credential theft. Security officials from three Western nations attributed the campaign to hackers acting in Turkey’s geopolitical interests, citing victim profiles aligned with Turkish foreign policy objectives, infrastructure linked to prior Turkey-associated attacks, and classified intelligence assessments. The attackers compromised at least 30 entities, including government ministries, embassies, security services, and private organizations, by manipulating Domain Name System records to intercept web traffic. Public internet records reviewed by Reuters confirmed Albanian state intelligence services were among the victims, with hundreds of usernames and passwords compromised through redirected login portals. Other confirmed targets included Cypriot and Greek government email systems, Iraq’s national security advisor, and Turkish civilian groups like a Freemasons chapter accused by Ankara of ties to exiled cleric Fethullah Gulen.
The Albanian State Information Service acknowledged the compromise of non-classified infrastructure but emphasized no state secrets were accessed. Cyprus reported immediate containment by its agencies, while Greece denied evidence of email system breaches. Attackers maintained persistent access by breaching organizations controlling top-level internet domains, allowing ongoing redirection of traffic to malicious servers. Cybersecurity researchers noted the campaign’s scale—unusual for DNS hijacking—alarmed Western intelligence agencies, though officials distinguished it from a separate 2018 DNS campaign. Turkish authorities declined direct comment but referenced frequent cyber victimization. Private cybersecurity firms, including Team Cymru, notified victims after identifying infrastructure patterns. The attacks exposed systemic vulnerabilities in global DNS architecture, enabling external network compromises without requiring direct victim system infiltration. As of January 2020, officials confirmed the operation remained active across multiple jurisdictions.