Inside the Cyberattack on Tirana Municipality: What Happened and Why It Matters

-

In June 2025, Albania once again found itself under a digital siege—this time, the Municipality of Tirana became the epicenter of a coordinated cyberattack that disrupted local government services, leaked sensitive data, and reignited tensions in an already volatile geopolitical landscape.

But what really happened behind the screens? Who was responsible—and why? More importantly, what does this mean for the future of municipal cybersecurity?

Let’s break it down.

 What Exactly Happened?

Timeline of the Incident

  • June 20–21, 2025: The official website and online services of the Tirana Municipality were taken offline.

  • June 22: Parents were unable to register their children for kindergartens or nurseries via the "E-Fëmijët" portal, which is part of the city's digital public service infrastructure.

  • Following Days: Investigators uncovered traces of a malicious tool designed to wipe data and disable core systems.

The Malware Used: Display10 Wiper

According to the National Cyber Security Authority (AKSK), the attackers used a piece of destructive malware known as Display10 Wiper.

This malware was designed to:

  • Corrupt Windows operating systems by deleting or overwriting system files.

  • Make devices unusable, effectively wiping them without the possibility of recovery.

  • Evade detection, using code that mimicked legitimate files and operations.

Unlike ransomware, this type of malware doesn’t demand payment. Its goal is pure destruction—to erase, disable, and send a political message through disruption. The same tool has been linked to previous Iranian cyber operations in the region.

 Who Was Behind the Attack?

The cyberattack was claimed by a group calling itself Homeland Justice, believed to have strong ties to Iran’s Islamic Revolutionary Guard Corps (IRGC).

This isn’t the first time Albania has been targeted by Iranian-backed hackers:

  • In 2022, Albania cut diplomatic ties with Iran following a major cyberattack on its e-Albania platform.

  • In 2023–2024, further intrusions affected government services, including Parliament and the Institute of Statistics.

This latest assault was reportedly in retaliation for Albania hosting members of the Mujahedin-e-Khalq (MEK), an Iranian opposition group exiled in Albania.

“We are just getting started,” the group threatened in a Telegram post after claiming responsibility.

 What Was the Impact?

Disruption of Public Services

  • The Tirana Municipality’s digital services—used by nearly 800,000 residents—were partially or fully suspended.

  • Processes such as school registration, document issuance, and administrative communication were affected.

Data Leaks

  • Names, emails, internal staff credentials, and financial data were reportedly exfiltrated and leaked online.

  • Screenshots shared by the attackers showed access to internal dashboards and sensitive municipal documents.

Emergency Response

The Municipality and AKSK quickly moved to:

  • Isolate infected systems.

  • Launch a forensic investigation.

  • Rebuild affected servers from secure backups.

Acting Mayor Anuela Ristani assured the public that no personal data was permanently lost, though investigations into the scope of the breach continue.

Why Does It Matter?

1. Tirana Is Not an Isolated Case

This attack is part of a larger campaign targeting Albanian public institutions as a form of geopolitical retaliation. Local municipalities, despite handling crucial public data, often lack the cyber defenses of central government agencies.

2. Wipers Are Meant to Send a Message

Unlike ransomware (which seeks payment), wiper malware is destructive by design. The use of such tools suggests the attackers had no interest in profit—but every intent to destabilize.

3. Municipal Systems Are the New Frontlines

City governments increasingly manage services like transportation, utilities, and education portals. That makes them prime targets in cyberwarfare—not only for their data, but for their impact on daily life.

 What Needs to Change?

Albania’s experience offers lessons for cities worldwide:

 1. Treat Municipal Systems as Critical Infrastructure

Local IT systems must be secured with the same level of care as national ones. This includes:

  • Centralized incident response protocols.

  • Regular vulnerability assessments.

  • Zero-trust access controls.

 2. Simulate Attacks and Train Staff

Most breaches succeed due to human error or unpatched systems. Continuous training and simulation (red team exercises, phishing tests) are essential.

 3. Boost International Cyber Cooperation

Albania has already received cybersecurity aid from Microsoft, Mandiant, and NATO allies. But ongoing collaboration, intelligence-sharing, and funding for local cyber readiness are key to resilience.


The attack on Tirana’s municipal infrastructure wasn't just a technical incident—it was a political statement delivered through malware. It disrupted the lives of ordinary citizens, embarrassed local governance, and proved once again that cybersecurity is national security.

As cities like Tirana digitize services, they must invest in more than just convenience—they must also build digital defenses fit for a world where every city is a potential battleground.


Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more