New 'Mahdi malware' cyber spy attack on Iran disclosed

WASHINGTON -- Security experts have identified a cyber espionage attack that appears to have chiefly targeted computers in Iran that they say differs from previously discovered malware believed to be part of a covert U.S. and Israeli effort to monitor and delay Tehran’s nuclear development program.

The latest spyware, dubbed Mahdi and written partly in Persian, has affected about 800 companies and  individuals in five countries, including Israel and Afghanistan, according to researchers at an Israeli security company, Seculert, and Kaspersky Lab of Russia, who disclosed their findings Tuesday. 

The source of the latest attack wasn’t clear, the researchers said, although stolen data apparently went to computer servers in Canada and Tehran.

The spyware hit at least 387 computers in Iran, and 54 in Israel, the researchers said. They refused to identify the targets, but said they included crucial infrastructure companies, engineering students, financial services firms and embassies. 

They said Mahdi was far less sophisticated than Flame, a recently discovered piece of malware that reportedly was used to spy on Iranian computers and steal their data. And it is nothing like Stuxnet, a complex cyber attack that the New York Times  reported was part of a covert U.S. attempt to sabotage Iran’s nuclear program by destroying centrifuges used to enrich uranium.

“Mahdi is much simple. It’s not anywhere close to Flame and Stuxnet,” Kaspersky researcher Nicolas Brulez said in a telephone interview from Paris.

The researchers said the malware was hidden in a variety of web documents, including a news story on Israeli efforts to spy on Iran. If users opened the documents, the software secretly tracked their every keystroke.

The attackers were able to monitor users’ Internet activity, including passwords, email, social network accounts, and video or Web-based telephone calls. The malware also took screen shots and recorded audio.

The researchers named the malware Mahdi, a term referring to an Islamic messiah, because the attackers appear to have used a folder and a file with that name.

The researchers said the attack could be state-sponsored because of the cost involved.

“This operation might require a large investment and financial backing,” Seculert said in a blogpost.

“It requires people to actually do a massive amount of work” to sift through the data being collected, said Aviv Raff, co-founder of Seculert.

ALSO:

Kadima party breaks from Israeli government coalition

Afghan soldier who fatally shot French troops gets death penalty

London Olympics security contractor called 'incompetent' by panel

-- Ken Dilanian

 

 
Comments () | Archives (0)

Connect

Recommended on Facebook


Advertisement

Times Global Bureaus »

Click on bureau location to view articles

In Case You Missed It...

Video

Recent Posts

Archives
 



Archives
 

In Case You Missed It...