New 'Mahdi malware' cyber spy attack on Iran disclosed
WASHINGTON -- Security experts have identified a cyber espionage attack that appears to have chiefly targeted computers in Iran that they say differs from previously discovered malware believed to be part of a covert U.S. and Israeli effort to monitor and delay Tehran’s nuclear development program.
The latest spyware, dubbed Mahdi and written partly in Persian, has affected about 800 companies and individuals in five countries, including Israel and Afghanistan, according to researchers at an Israeli security company, Seculert, and Kaspersky Lab of Russia, who disclosed their findings Tuesday.
The source of the latest attack wasn’t clear, the researchers said, although stolen data apparently went to computer servers in Canada and Tehran.
The spyware hit at least 387 computers in Iran, and 54 in Israel, the researchers said. They refused to identify the targets, but said they included crucial infrastructure companies, engineering students, financial services firms and embassies.
They said Mahdi was far less sophisticated than Flame, a recently discovered piece of malware that reportedly was used to spy on Iranian computers and steal their data. And it is nothing like Stuxnet, a complex cyber attack that the New York Times reported was part of a covert U.S. attempt to sabotage Iran’s nuclear program by destroying centrifuges used to enrich uranium.
“Mahdi is much simple. It’s not anywhere close to Flame and Stuxnet,” Kaspersky researcher Nicolas Brulez said in a telephone interview from Paris.
The researchers said the malware was hidden in a variety of web documents, including a news story on Israeli efforts to spy on Iran. If users opened the documents, the software secretly tracked their every keystroke.
The attackers were able to monitor users’ Internet activity, including passwords, email, social network accounts, and video or Web-based telephone calls. The malware also took screen shots and recorded audio.
The researchers named the malware Mahdi, a term referring to an Islamic messiah, because the attackers appear to have used a folder and a file with that name.
The researchers said the attack could be state-sponsored because of the cost involved.
“This operation might require a large investment and financial backing,” Seculert said in a blogpost.
“It requires people to actually do a massive amount of work” to sift through the data being collected, said Aviv Raff, co-founder of Seculert.
-- Ken Dilanian