Cyber spying campaign expands in Iran, says Israeli security firm
Israeli security company Seculert said that it has identified about 150 new victims of the Mahdi Trojan over the past six weeks as the developers of the virus have changed the code to evade detection from anti-virus programs.
Computer server room.
Photo by AP
The scope of a
cyber espionage campaign targeting Iran and other parts of the Middle
East has widened, even after security experts blew the operation's cover
last month, according to the research firm that discovered the Mahdi
Trojan.
Israeli security company Seculert said that it has identified about 150
new Mahdi victims over the past six weeks as the developers of the
virus have changed the code to evade detection from anti-virus programs.
That has brought the total number of infections found so far to nearly
1,000, the bulk of them in Iran.
"These guys continue to work," Seculert Chief Technology Officer Aviv
Raff said via telephone from the company's headquarters in Israel.
The decision to keep the operation running implies that Mahdi's
operators were not particularly worried about getting caught, said Roel
Schouwenberg, a senior researcher with Kaspersky Lab, which has
collaborated with Seculert in analyzing Mahdi.
Schouwenberg said that some viruses are designed for stealth because
they become useless if they are discovered. He pointed to the Stuxnet
Trojan that targeted Iran's nuclear program in 2010 .
After that customer-built virus was uncovered by a security researcher
in Belarus, authorities in Iran discovered it in a uranium enrichment
facility that it had targeted.
Mahdi is a "less professional" operation that runs on technology built
with widely available software, according to Schouwenberg
"If the quality of your operation is not that high, then maybe you
don't care about being discovered," he said. "But the scary thing is
that it can still be effective."
The Mahdi Trojan lets remote attackers steal files from infected PCs
and monitor emails as well as instant messages, Seculert and Kaspersky
said. It can also record audio, log keystrokes and take screen shots of
activity on those computers.
The firms said they believed multiple gigabytes of data have been uploaded from targeted machines.
Targets of Mahdi include critical infrastructure firms, engineering
students, financial services firms and government embassies located in
five Middle Eastern countries, with the majority of the infections in
Iran, according to the two security firms.
The bulk of the new victims were in Iran, which is where most
infections have occurred to date, according to Seculert, though a few
were identified in the United States and Germany.
The two firms have declined to identify specific victims.
The two firms have declined to identify specific victims.
As published online at Haaretz.com, 29 August 2012
Labels: Cyberwarfare, Iran
<< Home