Attribution Summary
| Attribute | Detail |
|---|---|
| Campaign name | HomeLand Justice |
| MITRE ATT&CK ID | C0038 |
| Attribution | Iranian Ministry of Intelligence and Security (MOIS) |
| Associated group | HEXANE (G1001) — conducted reconnaissance |
| Confirming agencies | FBI, CISA (AA22-264A), Mandiant, Microsoft, NATO, UK NCSC |
| Motivation | Retaliation for Albania hosting the MEK (Mujahedeen-e-Khalq) |
| Initial access vector | CVE-2019-0604 (Microsoft SharePoint Remote Code Execution) |
| Period of operation | May 2021 (initial access) — January 2024+ (ongoing leaks) |
Motivation
The Mujahedeen-e-Khalq (People’s Mojahedin Organization of Iran, MEK) is an Iranian opposition group that maintains a refugee camp in Durrës, Albania. Iran considers MEK a terrorist organization and views Albania’s hosting of MEK as a hostile act. The HomeLand Justice attacks were explicitly framed as retaliation: Albania was targeted for harboring people Iran wants dead or imprisoned.
Albania severed diplomatic relations with Iran on September 7, 2022 — the first nation in history to sever diplomatic ties over a cyberattack. The United States Treasury Department sanctioned Iran’s Ministry of Intelligence and the Intelligence Minister personally in response.
Attack Timeline
| Date | Event |
|---|---|
| May 2021 | Initial access established via CVE-2019-0604 (SharePoint RCE) — 14 months before destructive attack |
| May 2021–July 2022 | Silent persistence: CHIMNEYSWEEP infostealer exfiltrating data during 14-month dwell time |
| July 18, 2022 | Destructive attack launched — Albania forces temporary shutdown of government services |
| July 21, 2022 | HomeLand Justice claims responsibility, begins leaking data via Telegram |
| September 7, 2022 | Albania severs diplomatic ties with Iran — first nation to do so over a cyberattack |
| September 19, 2022 | Police chief’s personal data and border crossing records leaked |
| October 3, 2022 | 300 criminal suspect identities leaked (1.7 GB file, ~100,000 records total) |
| December 2023 | Parliament and One Albania telecom attacked |
| December 24, 2023 | #DestroyDurresMilitaryCamp campaign launched |
| January 2024 | INSTAT (statistics institute) breached — 100+ TB claimed exfiltrated |
Malware Arsenal
| Malware | Type | Purpose |
|---|---|---|
| ROADSWEEP | Ransomware | File encryption across government systems |
| ZeroCleare | Wiper | Disk destruction (used with RawDisk driver) |
| CHIMNEYSWEEP | Infostealer / Backdoor | Long-term data exfiltration during dwell time |
| No-Justice | Wiper | Used in 2024 attacks |
Initial Access & Persistence
Exploitation Vector
Initial access was achieved by exploiting CVE-2019-0604 — a remote code execution vulnerability in Microsoft SharePoint. The vulnerability was patched in 2019, meaning Albanian government SharePoint installations had gone unpatched for at least two years before exploitation.
Persistence Mechanisms
- ASPX web shells:
pickers.aspx,error4.aspx,ClientBin.aspx - Compromised administrator accounts
- 14 months of silent dwell time before destructive phase
Post-Exploitation Tools
- Mimikatz — Credential dumping from Windows memory
- Impacket — Post-exploitation framework for lateral movement
- RawDisk — Direct disk access driver (used by ZeroCleare)
Data Exfiltration Method
During the dwell period, data was exfiltrated via:
- HTTP POST requests from compromised Exchange servers
- PowerShell mailbox searches and exports
- Direct transfer to attacker-controlled infrastructure
Data Leaked
Police Suspect Database (October 2022)
~100,000 records, 1.7 GB. Contents per record:
- Photographs
- National ID numbers
- Full names and father’s names
- Dates of birth
- Birth cities and nationality
Source system: MEMEX — the Albanian state police suspect database.
Government Officials (September 2022)
- Police Chief: 47-page document with personal identifying information and border crossing records
- Interior Minister Bledi Çuçi: Email mailbox contents
- Defence Minister Niko Peleshi: Email mailbox contents
- Prime Minister Edi Rama: Correspondence with citizens
State Information Service (SHISH) Employees
The most sensitive leak: employee data from SHISH (Shërbimi Informativ Shtetëror), Albania’s civilian intelligence agency. The leak included:
- Employee names and surnames
- Official email addresses
- Mobile phone numbers
This constitutes a complete identification package for Albania’s intelligence officers.
Citizen Phone Numbers & IDs
A mass leak of Albanian citizens’ personal data containing name, surname, birthplace, phone number, and ID card number. Volume not independently verified.
INSTAT Census Data (January 2024)
HomeLand Justice claimed to have exfiltrated 100+ terabytes from INSTAT, Albania’s national statistics institute. Claimed data includes GIS records and census data. The 100 TB figure has not been independently verified, but the INSTAT breach was confirmed by AKCESK.
Active Leak Infrastructure (As of January 2026)
| Channel | Status | Members/Traffic |
|---|---|---|
| t.me/justice_homeland | ACTIVE | 13,600+ members |
| t.me/JusticeHomeland1 | ACTIVE | Unknown |
| homelandjustice.ru | ACTIVE | Russian domain — ongoing |
| justicehomeland.org | ACTIVE | Ongoing |
The HomeLand Justice Telegram channel and websites remain operational. The channel continues to distribute Albanian government data and makes claims about ongoing access to Albanian systems. Contact for the operation uses Yandex (Russian tech provider) infrastructure, and the primary website uses a Russian .ru domain.
Targets: Government and Private Sector
Government Targets
- AKSHI (National Agency for Information Society) — directly compromised, administrative control of GOVnet and e-Albania
- Assembly of Albania (Parliament)
- Albanian State Police — MEMEX database exfiltrated
- State Information Service (SHISH) — intelligence employee list leaked
- INSTAT (National Statistics Institute)
Private Sector Targets
- One Albania (telecom) — claimed 2 petabytes deleted, December 2023
- Eagle Mobile Albania (telecom)
- Air Albania (aviation)
- Credins Bank (banking) — listed as a data source on HomeLand Justice channels
Implications for Diella
The AKSHI system compromise has direct implications for Diella’s integrity:
- Training data provenance: If CHIMNEYSWEEP was active in AKSHI systems from May 2021, the data used to train and configure Diella (deployed January 2025) may have been from systems under adversary control during development.
- GOVnet access: AKSHI’s GOVnet connects 220 Albanian government institutions. A 14-month dwell time in AKSHI means Iranian intelligence had potential visibility into the entire Albanian government network for over a year.
- Remediation confidence: Diella operates on AKSHI infrastructure. Has the post-2022 breach remediation been sufficient? Albania’s track record — unpatched SharePoint for 2+ years, four subsequent attack phases — does not support high confidence.
Sources
- MITRE ATT&CK — HomeLand Justice (C0038)
- CISA Advisory AA22-264A — Iranian Attacks on Albania
- Mandiant / Google Cloud — ROADSWEEP Analysis
- Balkan Insight — Criminal Suspects Database Leak
- Balkan Insight — “This is a War”
- Security Affairs — INSTAT Breach
- The Hacker News — No-Justice Wiper (2024)
- CCDCOE Cyber Law Toolkit — HomeLand Justice Operations
Note: This report is based on publicly available technical analysis, government advisories, and investigative journalism. ODINT did not independently access HomeLand Justice infrastructure, Telegram channels, or any materials distributed by the threat actor. All attribution statements are derived from official government advisories (FBI/CISA, NATO, UK NCSC) and published threat intelligence (Mandiant/Google, Microsoft).
Documented: January 2026 — ODINT Albania Investigation