Targetting Iran? The Mahdi malware mystery
Posted: 03/08/2012 Filed under: Gulf and Middle East Security, Randolph Bell, Transnational threats and political risk | Tags: cyber attacks, Duqu, Flame, Iran, Israel, Mahdi, Stuxnet Leave a comment »
By Randolph Bell, Managing Director, IISS-US
Over the past few weeks, Kaspersky Labs, a Russian cyber-security firm, has been releasing information on yet another in a string of cyber attacks aimed primarily at Iran. Unlike most similar stories, however, the so-called ‘Mahdi’ attack is about as simple as the fake Viagra ads in your spam folder.
Previous cyber attacks on Iran, including Stuxnet, Duqu and Flame, used remarkably sophisticated programming techniques to infiltrate Iranian networks. Mahdi, on the other hand, takes advantage of the gullibility of computer users through several so-called ‘social engineering’ techniques, in which users inadvertently download malware to their machines by opening one of several innocuous-looking email attachments.
One example discussed by Kaspersky, called Magic_Machine1123.pps, ‘delivers the embedded executable within a confusing maths puzzle PowerPoint slideshow where the amount of maths instructions may overwhelm a viewer’. Despite a warning from PowerPoint that the content the user has opened may execute a virus, not all users are conscious of these warnings or take them seriously, and continue to click through, running the malicious program.
Once downloaded, the Mahdi malware performs similar functions to Flame: stealing files, logging keystrokes, monitoring emails, and taking screen grabs. Its targets have included critical infrastructure providers, engineering students, government agencies, and financial institutions. (Both Mahdi and Flame differ from Flame’s cousin Stuxnet, which was designed specifically to cause damage to Iranian centrifuges.)
While most of the approximately 800 infected computers are in Iran, the malware has also affected individuals in Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia.
The Stuxnet attacks were ultimately attributed to the US and Israeli governments after US officials leaked information to reporter David Sanger. (Kaspersky links Flame and Duqu to the same developers as Stuxnet, but there has been no formal acknowledgement of this by any government.) Before attribution of Stuxnet was conclusive, however, most analysts agreed that the sophistication of the malware pointed to a state-sponsored attack.
Attribution with Mahdi is more complicated, ironically because it is simpler.
A criminal organisation, a well-financed political opposition group, or a state with a far less sophisticated cyber warfare programme than that of the US and Israel could have developed it. Furthermore, the targets of the attack, which include individuals and academics, do not lend themselves to easy conjecture about the attackers or their motivations. Finally, Symantec, a US cyber-security firm, reported that the majority of the virus’s victims were located in Israel, not Iran, complicating attribution further. How can one know who the attacker is if we cannot even agree on who has been attacked? Kaspersky, however, has done additional analysis that contradicts Symantec, reporting last week that 84% of attacks occurred within Iran, closing the case for now.
The success of Mahdi does tell us something about the online sophistication of the victims. The social engineering used by Mahdi seems laughably simple to long-time Internet users. Didn’t we see this same scam in our AOL accounts in 1996? (Social engineering is still successful, but attackers have developed more subtle techniques.) The success the attackers have achieved at infecting non-random targets in seemingly high levels of Iranian business and government indicates a lack of awareness of the potential for and history of cyber attacks among otherwise sophisticated individuals. In short, perhaps Iranians are less alert to, or suspicious about, everyday computer viruses?
This information, combined with the fact that Mahdi is one of the first pieces of malware to use Farsi in communications from the command server to the infected computer, does start to shed some light on the attacker. Whoever created Mahdi has a good deal of local information, and has exploited that, rather than advanced computer science, to reach their goals.
