Information Warfare: The Mahdi Mystery


August 2, 2012: Since mid-June someone has been conducting Internet based attacks against specific civilian, military, and government officials in Iran and other Middle Eastern countries. This attack delivers a secret software program that monitors PCs it gets into, passing back keyboard activity, video and audio recordings (activity around the infected PC), and documents. This bit of "malware" is being called Mahdi and examination of it seems to indicate that it comes from Iran. This is interesting, as about half the computers infected are in Iran but seven percent are in Israel and just about every nation in the region has a few infected computers (according to computer security firms). So far, less than a thousand PCs appear to have been infected.

This kind of attack is usually carried out in the form of official looking email, with a file attached, sent to specific individuals at business, academic, military, or government organizations. It is usually an email they weren't expecting. This is known in the trade as "spear fishing" (or "spear phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends data from the email recipient's PC to the spear fisher's computer. In the last few years an increasing number of military, corporate, and government personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. Mahdi used a number of different deceptive file types to deliver its malware.

By early July it was believed that Mahdi was dead, especially for those with anti-virus software, since the security firms know what Mahdi looks like and its control servers in Iran had been shut down. But by late July another version of Mahdi was detected, with several improvements.

Examination of the viruses and related bits of computer code indicate that most of this stuff was created by Farsi (Iranian) speaking programmers and all movement of command and stolen data led back to servers in Iran. This, however, could have been part of a deception to hide the real source of Mahdi, as the main target appears to have been Iran.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close