Albania HomeLand Justice destructive wiper (Iran MOIS, 2022)

Iran's Ministry of Intelligence and Security, operating as 'HomeLand Justice', spent 14 months dwelling in Albanian government networks before launching ransomware-style file encryption and disk-wiping malware. Albania suspended online public services and became the first country in history to sever diplomatic ties with another state over a cyberattack.

On 15 July 2022, the government of Albania was hit by a destructive cyber operation that combined ransomware-style file encryption with disk-wiping malware. The attackers, identifying as "HomeLand Justice", framed the operation as retaliation against Albania for hosting members of the Iranian opposition group Mojahedin-e-Khalq (MEK). U.S. and Microsoft attribution traced the operation to Iran's Ministry of Intelligence and Security (MOIS). Albania responded by severing diplomatic ties with Iran — the first time any country in history has done so over a cyberattack.

What happened

The intrusion began roughly 14 months before the destructive payload. Iranian state cyber actors established access to Albanian government networks in May 2021, then spent the next year conducting lateral movement, reconnaissance, and credential harvesting — the patient, methodical posture of a state intelligence operation, not a criminal extortion crew.

On 15 July 2022, the attackers launched the destructive phase: ransomware-style file encryption plus disk-wiping malware. Anti-MEK political messaging was left on compromised desktops, framing the attack as retaliation against Albania's policy of hosting MEK members. The Albanian government suspended online public services.

The diplomatic response was unprecedented. On 6 September 2022, Albania severed diplomatic relations with Iran and ordered Iranian embassy staff to leave within 24 hours. No country had ever previously cut off diplomatic relations because of a cyberattack. Microsoft published its attribution analysis on 8 September. The U.S. Treasury imposed sanctions on Iran's MOIS and its Minister. CISA and the FBI published a detailed joint advisory (AA22-264A).

Impact

Albanian government services suspended.
Confirmed dual-mode attack: ransomware-style encryption + disk wipers.
First-ever diplomatic rupture in response to a cyberattack.
U.S. Treasury sanctions on Iran's MOIS and its Minister.
CISA/FBI joint advisory codifies Iranian state cyber TTPs for defenders worldwide.

Why it matters

The HomeLand Justice operation is the landmark diplomatic-consequences precedent in the public history of state cyber operations. Iran's masking of the operation as a hacktivist group was straightforward attribution evasion; the dwell time (~14 months) is the standard for nation-state intelligence operations; the destructive payload distinguishes the case from pure espionage. The Albanian government's decision to make the cyber operation a diplomatic-rupture casus belli set a precedent that every government has had to reckon with since.

Timeline

May 1, 2021

Iranian state cyber actors gain initial access to Albanian government networks (approximately 14 months before the destructive payload).

May 1, 2022

Lateral movement, network reconnaissance, and credential harvesting across Albanian government networks.

July 15, 2022

HomeLand Justice launches ransomware-style file encryption and disk-wiping malware against Albanian government systems. Anti-MEK (Mojahedin-e-Khalq) messaging is left on desktops. Albania suspends online public services.

September 6, 2022

Albania severs diplomatic ties with Iran — the first time any country has cut diplomatic relations over a cyberattack — and gives Iranian embassy staff 24 hours to leave.

September 8, 2022

Microsoft publicly attributes the operation to Iran. The U.S. Treasury imposes sanctions on Iran's Ministry of Intelligence and Security (MOIS) and its Minister.

September 21, 2022

CISA, FBI publish joint cybersecurity advisory AA22-264A detailing Iranian state cyber actors' tactics.

Sources

cisa.govhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a

microsoft.comhttps://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/

iranprimer.usip.orghttps://iranprimer.usip.org/blog/2022/sep/09/albania-cuts-ties-iran-over-cyberattack

thehackernews.comhttps://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html

cyberlaw.ccdcoe.orghttps://cyberlaw.ccdcoe.org/wiki/Homeland_Justice_operations_against_Albania_(2022)

Related incidents

WiperContainedFebruary 24, 2022

Viasat KA-SAT AcidRain wiper

One hour before Russia's invasion of Ukraine, Sandworm operators deployed the AcidRain wiper against Viasat KA-SAT satellite modems, bricking ~30,000 European terminals and 5,800 German wind turbines and disabling Ukrainian military command-and-control.

Victim: Viasat KA-SAT (subscribers across Ukraine and Europe)
Loss: $100.0M

WiperContainedMarch 11, 2026

Stryker Handala wiper attack (Iran-linked, 2026)

The Iranian state-linked group Handala compromised Stryker's Microsoft Intune administrator account and used the endpoint-management tool to wipe more than 200,000 servers, mobile devices, and corporate endpoints across 79 countries — bringing operations at one of the world's largest medical-device makers to a halt.

Victim: Stryker

RansomwareContainedApril 17, 2022

Conti ransomware attack on the Government of Costa Rica

Conti encrypted 27 Costa Rican government institutions including the Ministry of Finance, paralyzing tax collection and customs for months. President Chaves declared a national emergency — the first cyber-incident state of emergency in history.

Victim: Government of Costa Rica (27 institutions incl. Ministry of Finance, Customs, Social Security)
Loss: $130.0M

WiperResolvedJune 27, 2017

NotPetya destructive wiper

A destructive wiper disguised as ransomware, propagated via a compromised Ukrainian accounting software update. Estimated $10 billion in global damage — the most economically destructive cyberattack in history.

Victim: M.E.Doc users (Maersk, Merck, FedEx-TNT, Mondelez, Saint-Gobain et al.)
Loss: $10.00B