New 'Mahdi malware' cyber spy attack on Iran disclosed

New ‘Mahdi malware’ cyber spy attack on Iran disclosed

July 17, 2012 1:43 PM PT

This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

WASHINGTON -- Security experts have identified a cyber espionage attack that appears to have chiefly targeted computers in Iran that they say differs from previously discovered malware believed to be part of a covert U.S. and Israeli effort to monitor and delay Tehran’s nuclear development program.

The latest spyware, dubbed Mahdi and written partly in Persian, has affected about 800 companies and individuals in five countries, including Israel and Afghanistan, according to researchers at an Israeli security company, Seculert, and Kaspersky Lab of Russia, who disclosed their findings Tuesday.

The source of the latest attack wasn’t clear, the researchers said, although stolen data apparently went to computer servers in Canada and Tehran.

The spyware hit at least 387 computers in Iran, and 54 in Israel, the researchers said. They refused to identify the targets, but said they included crucial infrastructure companies, engineering students, financial services firms and embassies.

They said Mahdi was far less sophisticated than Flame, a recently discovered piece of malware that reportedly was used to spy on Iranian computers and steal their data. And it is nothing like Stuxnet, a complex cyber attack that the New York Times reported was part of a covert U.S. attempt to sabotage Iran’s nuclear program by destroying centrifuges used to enrich uranium.

“Mahdi is much simple. It’s not anywhere close to Flame and Stuxnet,” Kaspersky researcher Nicolas Brulez said in a telephone interview from Paris.

The researchers said the malware was hidden in a variety of web documents, including a news story on Israeli efforts to spy on Iran. If users opened the documents, the software secretly tracked their every keystroke.

The attackers were able to monitor users’ Internet activity, including passwords, email, social network accounts, and video or Web-based telephone calls. The malware also took screen shots and recorded audio.

The researchers named the malware Mahdi, a term referring to an Islamic messiah, because the attackers appear to have used a folder and a file with that name.

The researchers said the attack could be state-sponsored because of the cost involved.

“This operation might require a large investment and financial backing,” Seculert said in a blogpost.

“It requires people to actually do a massive amount of work” to sift through the data being collected, said Aviv Raff, co-founder of Seculert.

ALSO:

Kadima party breaks from Israeli government coalition

Afghan soldier who fatally shot French troops gets death penalty

London Olympics security contractor called ‘incompetent’ by panel

-- Ken Dilanian

World Now

Ken Dilanian

Ken Dilanian was a reporter in the Los Angeles Times’ Washington, D.C., bureau from April 2010 until May 2014. Before that, he had spent three years at USA Today, where he covered foreign policy and Congress. He worked for a decade at the Philadelphia Inquirer, three of them as a Rome-based foreign correspondent making frequent trips to Iraq. A series he co-wrote on deaths in Philadelphia’s child welfare system won the 2007 Casey Medal for Meritorious Journalism. A Massachusetts native, he is a 1991 graduate of Williams College.

New ‘Mahdi malware’ cyber spy attack on Iran disclosed

These are the California cities where $150,000 still buys you a home. Could you live here?

How the Birkin bag, the ultimate fashion trophy, became criminal currency

Nix the oven? A skinny fridge? Tips on designing a tiny kitchen in your ADU

‘Rivers in the sky’ have drenched California, yet even more extreme rains are possible

Reggie Bush and USC get Heisman Trophy back 14 years after it was forfeited