Targets of Mahdi include critical infrastructure firms, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran, according to the two security firms. – File photo
Targets of Mahdi include critical infrastructure firms, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran, according to the two security firms. – File photo

BOSTON: The scope of a cyber espionage campaign targeting Iran and other parts of the Middle East has widened, even after security experts blew the operation’s cover last month, according to the research firm that discovered the Mahdi Trojan.

Israeli security company Seculert said that it has identified about 150 new Mahdi victims over the past six weeks as the developers of the virus have changed the code to evade detection from anti-virus programs. That has brought the total number of infections found so far to nearly 1,000, the bulk of them in Iran.

“These guys continue to work,” Seculert Chief Technology Officer Aviv Raff said via telephone from the company’s headquarters in Israel.

The decision to keep the operation running implies that Mahdi’s operators were not particularly worried about getting caught, said Roel Schouwenberg, a senior researcher with Kaspersky Lab, which has collaborated with Seculert in analysing Mahdi.

Schouwenberg said that some viruses are designed for stealth because they become useless if they are discovered. He pointed to the Stuxnet Trojan that targeted Iran’s nuclear program in 2010. After that customer-built virus was uncovered by a security researcher in Belarus, authorities in Iran discovered it in a uranium enrichment facility that it had targeted.

Mahdi is a “less professional” operation that runs on technology built with widely available software, according to Schouwenberg.

“If the quality of your operation is not that high, then maybe you don’t care about being discovered,” he said. “But the scary thing is that it can still be effective.”

The Mahdi Trojan lets remote attackers steal files from infected PCs and monitor emails as well as instant messages, Seculert and Kaspersky said. It can also record audio, log keystrokes and take screen shots of activity on those computers.

The firms said they believed multiple gigabytes of data have been uploaded from targeted machines.

Targets of Mahdi include critical infrastructure firms, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran, according to the two security firms.

The bulk of the new victims were in Iran, which is where most infections have occurred to date, according to Seculert, though a few were identified in the United States and Germany.

The two firms have declined to identify specific victims.

Raff said that he suspects the campaign is being run by hacker activists, or “hactivists,” who are either funded by a government or provide information they collect to a nation for ideological reasons. He declined to say which country might be involved.

Seculert and Kaspersky dubbed the campaign Mahdi after a term referring to the prophesied redeemer of Islam because evidence suggests the attackers used a folder with that name as they developed the software to run the project.

They also included a text file named mahdi.txt in the malicious software that infected target computers.

Opinion

Editorial

Judiciary’s SOS
Updated 28 Mar, 2024

Judiciary’s SOS

The ball is now in CJP Isa’s court, and he will feel pressure to take action.
Data protection
28 Mar, 2024

Data protection

WHAT do we want? Data protection laws. When do we want them? Immediately. Without delay, if we are to prevent ...
Selling humans
28 Mar, 2024

Selling humans

HUMAN traders feed off economic distress; they peddle promises of a better life to the impoverished who, mired in...
New terror wave
Updated 27 Mar, 2024

New terror wave

The time has come for decisive government action against militancy.
Development costs
27 Mar, 2024

Development costs

A HEFTY escalation of 30pc in the cost of ongoing federal development schemes is one of the many decisions where the...
Aitchison controversy
Updated 27 Mar, 2024

Aitchison controversy

It is hoped that higher authorities realise that politics and nepotism have no place in schools.