By Tzvi Ben Gedalyahu
Seculert, based in Israel, and Russia’s Kaspersky Lab said on Tuesday that they identified more than 800 victims of the operation, Reutersreported. “The targets include critical infrastructure companies, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran,” according to the news service.
The cyber attack malware is believed to have begun approximately eight months ago, and whoever is behind it is “for sure somebody who is fluent in Persian,” said Seculert Chief Technology Officer Aviv Raff.
Scarlet and Kaspersky say the Trojan is called “Madhi,” a word that refers to the ultimate redeemer of Islam, because the cyber attackers used a folder with that name.”In Islamic eschatology, the Mahdi is the prophesied redeemer of Islam who will rule for seven, nine or 19 years before the Day of Judgment and will rid the world of wrongdoing, injustice and tyranny. In Islam Ahmadiyya, the terms ‘Messiah’ and ‘Mahdi,’” according to Wikipedia.
“The Mahdi Trojan lets remote attackers steal files from infected PCs and monitor emails and instant messages,” according to Reuters, which quoted the two companies. “It can also record audio, log keystrokes and take screen shots of activity on those computers.”
It is not certain whether individuals or countries are behind the malicious software, while the Flame virus discovered last year was attributed to a country or countries. Israel and/or the United States frequently has been considered the source.
Seculert said that is was able to track variants of malware last December. “The malware communicated with the same domain name, but the server was located in Tehran,” the firm stated on its website.
After Kapersky announced in May it had discovered the Flame virus, Seculert contacted the Russian company.
“We collaborated in the weeks that followed [and] we were able to identify over 800 victims,” the Israeli security firm added. “While we couldn’t find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries.”
Kaspersky explained in a blog post that one of the PowerPoint variants displays “a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system….
“[W]hile PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper.”
Defense Secretary Leon Panetta speaks with a congressional subcommittee on budget cuts Wednesday. (Photo: DOD/Glenn Fawcett)
In pleading with Congress Wednesday against automatic defense budget cuts, Defense Secretary Leon Panetta also warned of another crippling situation like Pearl Harbor. It won’t come in the form of bombers and torpedo planes though but as hackers and worms of the cyber variety with the ability to cripple U.S. infrastructure.
“You said something that just kind of went over everybody’s head, I think, that there’s a Pearl Harbor in the making here. You’re talking about shutting down financial systems, releasing chemicals from chemical plants, releasing water from dams, shutting down power systems that can affect the very survival of the nation. What’s the likelihood in the next five years that one of these major events will occur?”
To this Panetta responded simply by saying that the “technological capability” to send our country into a mode like that of Pearl Harbor in a surprise attack is already available now. Panetta’s references to “the next Pearl Harbor” echo sentiments he shared last year with regard to cyberattacks, according to CNS news.
In June 2011, while being confirmed as Defense Secretary, Panetta said to the panel, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.”
Continuing to probe on Wednesday, Graham asked about the risk level, which Panetta said was high, especially as the technology develops and the “will” to use it becomes more apparent.
“I’m very concerned that the potential in cyber to be able to cripple our power grid, to be able to cripple our government systems, to be able to cripple our financial system would virtually paralyze this country,” Panetta said. “And, as far as I’m concerned, that represents the potential for another Pearl Harbor as far as the kind of attack that we could be the target of using cyber.”
Those in the United States — both the government and private industry — are already the targets of thousands of attacks per day, according to Panetta. With that, he notes the importance of improving safety of systems in not only the defense sector but the private sector as well.
Earlier this year, the Cyber Intelligence Sharing Protection Act (CISPA) was introduced as proposed legislation that would put in place the infrastructure for private companies to share information with the federal government on the Internet to help prevent electronic attacks from cybercriminals, foreign governments and terrorists. The Cybersecurity Act of 2012, sponsored by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) was mentioned as well. At this point, CISPA has been passed with bipartisan support in the House and still awaits a Senate vote. The Cybersecurity Act of 2012 has not yet been voted upon.
CISPA has been met with some backlash with those against the proposed legislation saying the language is overly broad and they fear violations of the anti-trust law by the government.
Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey weighed in his support of CISPA during Wednesday’s hearing but also said the military is looking to develop “rules of engagement” to respond to cyberattacks and threats, according to CNS News.
Watch CNS’ footage of the dialogue here:
The Pentagon faces cuts of about $500 billion in projected spending over 10 years on top of the $492 billion that President Barack Obama and congressional Republicans already agreed to in last summer’s deficit-cutting budget.
Dempsey said the cuts would mean fewer troops, the possible cancellation of major weapons and the disruption of operations around the world.
The Associated Press contributed to this report.
- ‘Flame’ bug has been used to hack into Iran computers
- Trojan superbug 100 times bigger than most forms of malicious software
In what was being seen last night as the dawn of a new era in cyber warfare, UN computer security chief Marco Obiso said: ‘This is the most serious warning we have ever put out.’
He was speaking after it was revealed that a massive superbug had been used to hack into computers in Iran.
Israel did little to dispute claims yesterday that it was behind the clandestine online assault.
The sophisticated spyware – said to be about 100 times the size of most malicious software – also hacked other machines in the Middle East, including Sudan, Saudi Arabia, Lebanon and Egypt, but Iran appeared to be the primary target, according to a Russian Internet security firm.
Mr. Obiso, cyber security coordinator for the UN’s International Telecommunications Union, said the warning will underline the danger the virus represents to the critical infrastructure of member nations.
Dubbed ‘Flame’, the Trojan bug worms its way into computer systems and reportedly turns infected machines into listening devices.
It can activate a computer’s audio system to eavesdrop on Skype calls or office chatter, take screenshots or log keystrokes and even suck information from Bluetooth-enabled phones left nearby.
‘The complexity and functionality of the newly discovered malicious programme exceed those of all other cyber menaces known to date.
‘It pretty much redefines the notion of cyber war and cyber espionage,’ said Moscow-based Kaspersky Lab ZAO.
The company’s conclusion that the superbug was crafted at the behest of a national government fuelled claims that Flame was part of an Israeli-backed campaign of electronic sabotage aimed at archrival Iran.
And the Israelis didn’t try and deflect blame.
‘Whoever sees the Iranian threat as a significant threat is likely to take various threats, including these, to hobble it,’ said Israel’s Vice Premier Moshe Yaalon when he was asked about the virus.
‘Israel is blessed with high technology and we boast tools that open all sorts of opportunities for us,’ he added.
Alan Woodward, a professor of computing at the University of Surrey, compared the virus to a smartphone. Depending on what espionage you want to carry out, ‘you just add apps.’
He said Flame’s ability to attack Bluetooth-enabled devices left near a computer attack was ‘very unusual.’
Bluetooth is a short-range wireless communications protocol generally used for wireless headsets, in-car audio systems or file swapping between mobile phones.
THE MOST COMPLEX ‘CYBER WEAPON’ OF ALL TIME – WHAT FLAME DOES
The virus contains about 20 times as much code as Stuxnet, which attacked an Iranian uranium enrichment facility, causing centrifuges to fail.
It has about 100 times as much code as a typical virus designed to steal financial information, Kaspersky Labs said.
Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats.
He said there was evidence to suggest the code was commissioned by the same nation or nations that were behind Stuxnet and Duqu, which were built on a common platform.
Professor Woodward said that Flame turns an infected computer into a kind of ‘industrial vacuum cleaner,’ copying data from vulnerable cell phones or other devices left near it.
‘I don’t believe I’ve seen it before,’ he added.
Udi Mokady, the head of Cyber-Ark, an Israeli developer of information security, claimed only four countries – the US, Israel, Russia and China – had the technological know-how to develop so sophisticated an electronic offensive.
‘It’s a live programme that communicates back to its master. It asks, where should I go? What should I do now? It’s really almost like a science fiction movie,’ he said.
The Russians discovered the virus after being asked by the United Nations to find a piece of mystery malware that was wiping out sensitive information across the Middle East.
It is believed to have been coded by the same programmers who hacked into Iran’s nuclear programme six years ago.
Last night, Iran’s National Computer Emergency Response Team posted a security alert saying it believed Flame was responsible for ‘recent incidents of mass data loss.’ It also claimed an antidote had been found.
The discovery of the Flame virus came just days after talks between Iran and six world powers in Baghdad failed to persuade Tehran to freeze uranium enrichment. A new round of talks is expected to take place in Moscow next month.