Information Warfare: The Mahdi Mystery


August 2, 2012: Since mid-June someone has been conducting Internet based attacks against specific civilian, military, and government officials in Iran and other Middle Eastern countries. This attack delivers a secret software program that monitors PCs it gets into, passing back keyboard activity, video and audio recordings (activity around the infected PC), and documents. This bit of "malware" is being called Mahdi and examination of it seems to indicate that it comes from Iran. This is interesting, as about half the computers infected are in Iran but seven percent are in Israel and just about every nation in the region has a few infected computers (according to computer security firms). So far, less than a thousand PCs appear to have been infected.

This kind of attack is usually carried out in the form of official looking email, with a file attached, sent to specific individuals at business, academic, military, or government organizations. It is usually an email they weren't expecting. This is known in the trade as "spear fishing" (or "spear phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends data from the email recipient's PC to the spear fisher's computer. In the last few years an increasing number of military, corporate, and government personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. Mahdi used a number of different deceptive file types to deliver its malware.

By early July it was believed that Mahdi was dead, especially for those with anti-virus software, since the security firms know what Mahdi looks like and its control servers in Iran had been shut down. But by late July another version of Mahdi was detected, with several improvements.

Examination of the viruses and related bits of computer code indicate that most of this stuff was created by Farsi (Iranian) speaking programmers and all movement of command and stolen data led back to servers in Iran. This, however, could have been part of a deception to hide the real source of Mahdi, as the main target appears to have been Iran.


Article Archive

Information Warfare: Current 2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 



Help Keep Us Soaring

We need your help! Our subscription base has slowly been dwindling. We need your help in reversing that trend. We would like to add 20 new subscribers this month.

Each month we count on your subscriptions or contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage. A contribution is not a donation that you can deduct at tax time, but a form of crowdfunding. We store none of your information when you contribute..
Subscribe   Contribute   Close