The focus on Israel will heighten concerns over the security of highly classified government projects in the Middle East. Photograph: Baron Wolman/Getty Images
Nearly two thirds of the government officials, lobbyists and other victims of the cyber espionage campaign dubbed Madi were based in Israel, security experts have discovered.
An investigation by the security firm Symantec, published on Wednesday, showed 62% of the approximately 800 victims of the snooping were based in Israel.
It is not yet known whether the sustained attack was state-sponsored, but the focus on Israel will heighten concerns over the security of highly classified government projects in the Middle East.
The researchers also said a foreign consulate, various government agencies and a US-based thinktank were among those targeted by the eight-month spying campaign, which was revealed for the first time on Tuesday.
The cyber espionage, which has been termed Madi by researchers, began in December 2011 and was co-ordinated by a group of Farsi-speaking hackers, according to the security firms Kaspersky Lab and Seculert.
Experts have not found any evidence the attack is state-sponsored and little is known about the perpetrators.
On Wednesday those behind the attack were described by researchers as having "a broad agenda" of targeting critical infrastructure in the Middle East.
The attackers' servers are said to be based in Canada in January this year. Symantec said on Wednesday that its researchers had detected a further "command and control" centre in Azerbaijan. It is not know whether the Madi cyber snooping is ongoing.
The attack works by sending a virus-infected email to its selected targets, who usually work for oil, gas and other critical infrastructure firms in Israel and neighbouring countries.
Once the victims have downloaded an innocent-looking attachment from the emails, their computer becomes infected with spying software which can record audio, log keystrokes and take screen shots before sending that information back to the attackers. Researchers estimate that hundreds of gigabytes of data, equating to thousands of documents or dozens of software applications, has been secretly stolen by the Madi attackers.
"Targets of the Madi campaign appear to be all over the spectrum but include oil companies, US-based thinktanks, a foreign consulate, as well as various governmental agencies, including some in the energy sector," the research firm Symantec said in a blogpost.
It added: "Targets like Iran, Israel, and Saudi Arabia might suggest involvement of a nation state, however our research has not found evidence that this is the case. Instead, the current research indicates these attacks are being conducted by an unknown Farsi-speaking hacker with a broad agenda."
Re: Two thirds of Madi cyber espionage targets based in Israel
July 21 2012, 1:42 PM
Ah welcome to the land of smoke and shadows...Wired seems to be claiming the exact opposite of the Guardian in terms of who the target seems to have been...
Mahdi, the Messiah, Found Infecting Systems in Iran, Israel
By Kim Zetter, July 17, 2012 9:00 am
Who knew that when the Messiah arrived to herald the Day of Judgment he’d first root through computers to steal documents and record conversations?
That’s what Mahdi, a new piece of spyware found targeting more than 800 victims in Iran and elsewhere in the Middle East, has been doing since last December, according to Russia-based Kaspersky Lab and Seculert, an Israeli security firm that discovered the malware.
Mahdi, which is named after files used in the malware, refers to the Muslim messiah who, it’s prophesied, will arrive before the end of time to cleanse the world of wrongdoing and bestow peace and justice before Judgment Day. But this recently discovered Mahdi is only interested in one kind of cleansing – vaccuuming up PDFs, Excel files and Word documents from victim machines.
The malware, which is not sophisticated, according to Costin Raiu, senior security researcher at Kaspersky Lab, can be updated remotely from command-and-control servers to add various modules designed to steal documents, monitor keystrokes, take screenshots of e-mail communications and record audio.
While researchers have found no particular pattern to the infections, victims have included critical infrastructure engineering firms, financial service companies, and government agencies and embassies. Of the 800 targets discovered so far, 387 have been in Iran, 54 in Israel and the rest in other countries in the Middle East. Gigabytes of data were stolen over the last eight months.
According to Aviv Raff, CTO of Seculert, his lab received the first sign of the malware last February in the form of a spear-phishing e-mail with a Microsoft Word attachment. The document, once opened, contained a November 2011 article from the online news site The Daily Beast discussing Israel’s plan to use electronic weapons to take out Iran’s electric grid, internet, cellphone network, and emergency frequencies during an airstrike against Iran’s nuclear facilities.
If users clicked on the document, an executable launched on their machine that dropped backdoor services, which contacted a command-and-control server to receive instructions and other components. Researchers have discovered other variants that used malicious PDF and PowerPoint attachments, some of them containing images with various religious themes or tropical locations, that use simple social engineering techniques to confuse users into allowing the malware to load onto their machines.
One of the serene images that appears in a malicious PowerPoint file sent to victims. Courtesy of Kaspersky Lab
As Kaspersky Lab explains in a blog post, one of the PowerPoint variants displays “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system” by confusing them into ignoring virus warnings that might appear on their screen.
“[W]hile PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper,” Kaspersky writes.
While another image asks users to click the file, a dropper loads to their machine. Although a virus warning displays onscreen, users are tricked into clicking through it because the slideshow has already primed them to click through the slides.
According to Kaspersky, the backdoors that infected machines were all coded in Delphi. “This would be expected from more amateur programmers, or developers in a rushed project,” they write in their blog post.
The earliest variant found so far infected machines in December 2011, but a compilation date on some of the files indicates the malware may have been written before last September.
The malware communicates with at least five servers – one in Tehran, and four in Canada, all hosted in different locations. Researchers at Kaspersky Lab created a sinkhole to divert traffic from some of the infected machines, but at least one server is still up and running, meaning the spy mission is still active.
Seculert contacted Kaspersky about Mahdi last month after researchers in its lab discovered Flame, a massive, highly sophisticated piece of malware that infected systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation. Flame is also a modular malware that allows its attackers to steal documents, take screenshots and record audio of Skype conversations or communications conducted in the vicinity of an infected machine.
Raff says his team in Israel reached out to Kaspersky because they thought there might be a connection between the two pieces of malware. But researchers have found no parallels between Mahdi and Flame. Raff notes, though, that “the guys behind them may be different, but they do have very similar purposes,” which is to spy on targets.
Recently, U.S. government sources told the Washington Post that Flame is the product of a joint operation between the United States and Israel.
Raff says it’s not clear if Mahdi is the product of a nation-state, but notes that the researchers found strings of Farsi in some of the communication between the malware and command-and-control servers, as well as dates written in the format of the Persian calendar.
“This is something we didn’t see before, so we thought it was interesting,” he says. “We are looking at a campaign that is using attackers who are fluent in Farsi.”
The infections in Iran and Israel, along with the Farsi strings, suggest the malware may be the product of Iran, used to spy primarily on domestic targets but also on targets in Israel and a handful of surrounding countries. But the malware could also be a product of Israel or another country that’s simply been salted with Farsi strings in order to point the finger at Tehran.
UPDATE 10:30am PST: A news story from an Israeli tech site back in February appears to refer to a Mahdi infection at Bank Hapoalim, one of Israel’s top banks. According to the story (which is in Hebrew), the attack came via a spear-phishing email that included a PowerPoint presentation and was sent to several bank employees. The malware includes a file called officeupdate.exe and tries to contact a remote server in Canada via a server in Iran.
Although the article does not directly identify the malware as Mahdi, it has multiple characteristics that match Mahdi, and it struck Bank Hapoalim around the same time that Seculert says it discovered Mahdi.
UPDATE 2:30pm PST: A reader has pointed out that the Hebrew in the PowerPoint slides above is incorrect and awkwardly phrased in several places and suggests that the author of the slides is not a native-Hebrew speaker.