July 19th, 2012
02:43 AM ET

Cyberspy program targets victims in Iran, Israel, companies say

By Ben Brumfield

A computer virus campaign has for months been selectively spying on people involved in government and in strategically important industries principally in Iran - but also in Israel and other countries in the Middle East, according to two cybersecurity companies, which cooperated to track the campaign.

The virus, a Trojan horse with an "amateurish" design, contains lines of Farsi, or Persian, the main language spoken in Iran, Seculert and Kaspersky Lab said in news releases Tuesday. It communicates with "command and control" servers, which also contain code in Farsi and dates from the Persian calendar, they said.

"The attackers were no doubt fluent in this language," said Aviv Raff, Seculert's chief technology officer.

The malware has a component named after the Shiite messiah "Mahdi," and an earlier version of the malware once sent data plundered from victims' computers back to a server in Tehran.

Security Clearance: Your source for national security news and analysis

But neither cybersecurity company has pointed a finger at any government.

"It is still unclear whether this is a state-sponsored attack or not," according Seculert, which is headquartered in Israel. The malware has worked with four different "command and control" servers for over eight months, including one in Canada, the company said.

The partners have "identified more than 800 victims, primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East," according to Moscow-based Kaspersky Lab.

For the Mahdi component, Seculert said on its blog, there were 387 victims in Iran, 54 in Israel and lesser numbers in other countries.

The espionage campaign is still active, it said.

Seculert first discovered the virus in a suspicious e-mail with a fake Word document attached. Clicking on the file launched a "malware dropper," which started the viral infection.

At the same time - to fool the user into thinking the malicious file was legitimate - it opened a real document called mahdi.txt. "The content of the document was an article discussing Israel vs. Iran electronic warfare," according to Seculert.

The virus and the technology used to run the campaign are nothing fancy, but they have worked well enough to steal "multiple gigabytes of data" from "high-profile victims," according to Kaspersky.

Efforts to reach Iranian authorities for comment have been unsuccessful.

Follow Security Clearance on Twitter

Post by:
Filed under: Cybersecurity • Iran • Israel • Middle East
soundoff (16 Responses)
  1. Tempramental

    I simply waetnd to thank you one more time for that amazing web-site you have developed here. It's full of useful tips for those who are truly interested in this specific subject, primarily this very post. You really are all absolutely sweet along with thoughtful of others and reading the blog posts is an excellent delight with me. And that of a generous surprise! Jeff and I usually have fun making use of your tips in what we should do in a few days. Our checklist is a mile long and tips will definitely be put to beneficial use.

    September 10, 2012 at 3:25 am | Reply
  2. crying syria

    Not that I agree what Assad's family of their humiliation to the majority of its Sunni Muslim population. What I don’t agree of why now to defragment Syria when Israel is at the spot in confronting Iran after it defeating all the Arab nations in any way you could imagine. A Humiliation would become a determination to strike back at any cost.

    July 19, 2012 at 11:15 pm | Reply
  3. Lyndsie Graham

    A lot of people are going to suffer because of all the cyber wars started by those idiots in Washington D.C. The politicians who thought it up need to be arrested and prosecuted to the fullest extent of the law!!!!!

    July 19, 2012 at 10:11 pm | Reply
  4. saeed

    what can i say israel nows that the busherhr nuclear plant will be operating at 100% capacity in august so iran will have something that israel dosent and another great news russia has started to build its moon rocket it will do lunar landing in 2018 so so sorry gameover usa and britain.

    July 19, 2012 at 1:09 pm | Reply
    • George Patton

      Let's all hope that you're right, saeed. I'm so sick and tired of seeing the U.S., Great Britain and France having things going their way at all times!!!

      July 19, 2012 at 2:38 pm | Reply
    • saeedTheTowelHead

      Baaaaaaaaaaaah, Baaaaaaaaaaaaaaaah, Baaaaaaaaaaaaaaaah, Daaaaaaaaaaaaaaaaaaddy?

      July 19, 2012 at 5:46 pm | Reply
  5. George Patton

    Now we see just where our hard earned tax money goes! If those idiots in Washington would spend at least half of that money on Alzheimers research, they might even come up with a cure. Unfortunately, the Washington bureaucrats couldn't possibly care less!!!

    July 19, 2012 at 10:30 am | Reply
    • crying syria

      The U.S. people have to live with that. Hey! Good life is for the fittest. The U.S. people would rather to be envied than to envy others. hahahahaa

      July 19, 2012 at 11:25 pm | Reply
  6. michaelfury


    July 19, 2012 at 7:30 am | Reply
  7. Cyrus


    Israel is going to whine about being HACKED ?!??

    July 19, 2012 at 3:07 am | Reply
    • Thinker23

      Really. Contrary to your beliefs Israelis are not superhumans and are vulnerable to bombs and hackers.

      July 19, 2012 at 5:34 am | Reply
      • Cyrus

        There flame virus seemed pretty superhuman....

        And there ghost like ability to kill civilians....

        July 19, 2012 at 7:36 am |
    • KingDavid

      Israel isn't going to whine about being HACKED ?!??

      July 19, 2012 at 6:32 am | Reply
      • crying syria

        Face the facts. The Jews have every right to come back to their birth land. And they did so with a style after being humiliated for centuries. They never lost their own believe even when the whole world turned against them.

        July 19, 2012 at 11:37 pm |

Post a comment


CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.