Daily Israel Report
More

Zion's Corner Blogs


New 'Mahdi' Cyber Campaign Targeting Iran

Security experts uncovered a new cyber espionage campaign targeting Iran; first operation using communications tools written in Persian.
By Rachel Hirshfeld
First Publish: 7/18/2012, 9:35 PM

Hackers (illustrative)
Hackers (illustrative)
Israel news photo: Flash90

Security experts have uncovered a new cyber espionage campaign targeting Iran and other Middle Eastern countries, which, they say, is unique because it is the first such operation using communications tools written in Persian, Reuters reported.

Israeli security company Seculert and Russia's Kaspersky Lab said on Tuesday that they identified more than 800 victims of the operation.

The targets include critical infrastructure companies, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran.

Seculert and Kaspersky declined to identify specific targets of the campaign, which they believe began at least eight months ago.

The perpetrators of the attacks have not been identified.

"It's for sure somebody who is fluent in Persian, but we don't know the origin of those guys," said Seculert Chief Technology Officer Aviv Raff.

The Mahdi Trojan lets remote attackers steal files from infected PCs and monitor emails and instant messages, Seculert and Kaspersky said. It can also record audio, log keystrokes and take screen shots of activity on those computers.

The firms said they believed multiple gigabytes of data have been uploaded from targeted machines.

"Somebody is trying to build a dossier of a larger scale on something," Raff said. "We don't know what they are going to do at the end."

Researchers have said that they believe nation states were behind the Flame virus, which was discovered earlier this year, and Stuxnet, which was uncovered in 2011.

Seculert and Kaspersky dubbed the campaign ‘Mahdi,’ a term referring to the prophesied redeemer of Islam, because evidence suggests the attackers used a folder with that name as they developed the software to run the project, according to Reuters.

They also included a text file named ‘mahdi.txt’ in the malicious software that infected target computers.