Are Iranian Hackers Really Behind the Albanian Parliament Breach? A Critical Attribution Analysis

1. Incident recap: a familiar script

In March 2026, the hacker group Homeland Justice claimed to have breached the Albanian Parliament’s servers and leaked large volumes of email data belonging to several MPs (Belinda Balluku, Gazmend Bardhi, Damian Gjiknuri, Edi Paloka). The group posted a brief message on Telegram and even streamed a video showing unfettered access to the servers, later deleting some data. The parliament responded that the attack was “complex” but that core infrastructure remained unaffected.

2. First challenge: the attribution blame

The article questions why Iranian hackers are repeatedly cast as the “go-to scapegoat.” It lists previous incidents attributed to Iran:

2022 – e‑Albania public service portal hacked, blamed on Iran.

June 2025 – digital infrastructure in Tirana compromised, blamed on Iran.

March 2026 – the parliamentary breach, again blamed on Iran.

The author asks for evidence, noting that the U.S. CISA warning about Iranian activity dates to 2022 and may not reflect current attribution capabilities. The piece also points out that the group openly claims responsibility, which is unusual for sophisticated APTs that typically hide their tracks.

3. Second challenge: Albania’s own security posture

Security experts Erion Demiri and Besmir Semanaj criticize Albania’s basic defenses: passwords unchanged for years, failure to reset passwords after an intrusion, lingering sessions, and lack of access auditing. Orkidea Xhaferraj adds that post‑incident remediation statements are vague and lack concrete actions.

4. A purple‑team perspective: avoid binary thinking

The author argues that both sides must be considered. Iran has motive (Albania hosts the Iranian opposition group MEK) and capability, but attribution is a technical process that requires solid evidence. Moreover, Albania’s internal vulnerabilities are the root cause, and over‑emphasizing “Iranian threat” may distract from necessary security improvements. The possibility of false‑flag operations by other actors is also raised.

5. Conclusion: strengthen fundamentals before taking sides

Albania needs to upgrade its network security: regular password changes, session revocation, and comprehensive audit logging.

Attribution analyses must be rigorous and based on technical proof rather than public narratives.

Defensive strategies should be holistic; protecting against one actor does not guarantee protection against others.

The author ends with a reminder to “let the dust settle before drawing conclusions,” emphasizing the frequent twists in cyber‑security incidents.