By Jim Finkle, Reuters
BOSTON — The scope of a cyber espionage campaign targeting Iran and other parts of the Middle East has widened, even after security experts blew the operation’s cover last month, according to the research firm that discovered the Mahdi Trojan. Israeli security company Seculert said it had identified about 150 new victims over the past six weeks as developers of the Mahdi virus had changed the code to evade detection by anti-virus programs. That has brought the total number of infections found so far to nearly 1,000, the bulk of them in Iran.
“These guys continue to work,” Seculert Chief Technology Officer Aviv Raff said via telephone from the company’s headquarters in Israel. The decision to keep the operation running implies that Mahdi’s operators were not particularly worried about getting caught, said Roel Schouwenberg, a senior researcher with Kaspersky Lab, which has collaborated with Seculert to analyze Mahdi.
Schouwenberg said some viruses are designed for stealth because they become useless if they are discovered. He pointed to the Stuxnet Trojan that targeted Iran’s nuclear program in 2010. After that customer-built virus was uncovered by a security researcher in Belarus, authorities in Iran discovered it in a uranium enrichment facility that it had targeted. Mahdi is a “less professional” operation that runs on technology built with widely available software, according to Schouwenberg.
“If the quality of your operation is not that high, then maybe you don’t care about being discovered,” he said. “But the scary thing is that it can still be effective.” The Mahdi Trojan allows remote attackers to steal files from infected PCs, and monitor emails and instant messages, Seculert and Kaspersky said. It can also record audio, log keystrokes and take screen shots of activity on those computers.
The firms said they believed multiple gigabytes of data have been uploaded from targeted machines. Targets of Mahdi include critical infrastructure firms, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran, according to the two security firms.
The bulk of the new victims were also in Iran, according to Seculert, though a few were identified in the United States and Germany.
The two firms have declined to identify specific victims. Seculert’s Raff said he suspected the campaign was being run by hacker activists, or “hactivists,” who were either funded by a government or who provide information they collect to a nation for ideological reasons. He declined to say which country might be involved. Seculert and Kaspersky dubbed the campaign Mahdi after a term referring to the prophesied redeemer of Islam because evidence suggests the attackers used a folder with that name as they developed the software to run the project. They also included a text file named mahdi.txt in the malicious software that infected target computers.