BOSTON, July 17 Security experts have uncovered
an ongoing cyber espionage campaign targeting Iran and other
Middle Eastern countries that they say stands out because it is
the first such operation using communications tools written in
Persian.
Israeli security company Seculert and Russia's Kaspersky
Lab, said on Tuesday that they identified more than 800 victims
of the operation. The targets include critical infrastructure
companies, engineering students, financial services firms and
government embassies located in five Middle Eastern countries,
with the majority of the infections in Iran.
Seculert and Kaspersky declined to identify specific targets
of the campaign, which they believe began at least eight months
ago. They said they did not know who was behind the attacks or
if was a nation state.
"It's for sure somebody who is fluent in Persian, but we
don't know the origin of those guys," said Seculert Chief
Technology Officer Aviv Raff.
The Mahdi Trojan lets remote attackers steal files from
infected PCs and monitor emails and instant messages, Seculert
and Kaspersky said. It can also record audio, log keystrokes and
take screen shots of activity on those computers.
The firms said they believed multiple gigabytes of data have
been uploaded from targeted machines.
"Somebody is trying to build a dossier of a larger scale on
something," Raff said. "We don't know what they are going to do
at the end."
Researchers have previously said that nation states were
almost certainly behind the Flame virus, which was discovered
earlier this year, and Duqu, which was uncovered in 2011.
Seculert and Kaspersky dubbed the campaign Mahdi, a term
referring to the prophesied redeemer of Islam, because evidence
suggests the attackers used a folder with that name as they
developed the software to run the project.
They also included a text file named mahdi.txt in the
malicious software that infected target computers.
