This just in: many of you have heard of the Shiite messiah known as the Mahdi. Well it appears He reads Eli Lake. Who’d a thunk it?
Let me explain: an Israeli cybersecurity company, Seculert, discovered a malware program it dubbed Mahdi, which was infecting computers primarily in Iran, though throughout the Middle East as well (including Israel). Seculert contacted Kaspersky Labs (here is its analysis of the worm) since Flame was making the rounds in December, 2011, when Kaspersky first discovered Mahdi. Their joint investigation found no direct coding or technical connection between those two viruses. But the end result was the same. Mahdi was designed to infiltrate the computer systems of engineering and financial services firms, academics, and government embassies, with the purpose of stealing documents, recording keystrokes and audio, and taking screenshots of what the user was viewing on his or her monitor.
Initial evaluations appear to conclude that Mahdi is not as sophisticated as Stuxnet or Flame. Kim Zetter speculates in Wired that besides the obvious suspicion that the source could be Israeli, it’s also possible that the virus is Iranian in origin, as it has infected computers in Israel including possibly Bank Hapoalim, which suffered an attack around the time that Seculert discovered Mahdi. Some of the elements of the attack code written in Farsi as well. Coding that is less sophisticated might indicate an Iranian origin, as Iran is known to be not yet as proficient as Israel or the U.S. in its cyberwarfare capability. Though the servers the malware uses to disseminate itself are throughout the world, several are located in Iran.
Clearly, the authors of this code were not native Hebrew speakers, as the text that displays in the Power Point files on targeted machines is garbled Hebrew, as if someone used Google Translator to render something from another language. This might rule out an Israeli origin, unless–there’s always one of these, isn’t there–Israelis were smart enough to realize that faulty Hebrew would cast suspicion on Iran as originator of the attack. The English used is also non-native, in one case using the word “twinkle” instead of “blink.”
If the target computers were used by Hebrew-speakers, the authors must’ve figured they didn’t need to use expert Hebrew in order to entice owners to open the infected attachments. The messages only needed to be coherent enough to distract the target and get the files downloaded onto the victim’s computer. Apparently, they didn’t care about what happened after they were detected and it became known that the hackers were likely not Israeli.
Dena Shunra did some research on languages in which “twinkle” and “blink” can be synonyms and she came up with one intriguing possibility: Russian. Of course, that’s too thin a reed on which to hang any serious theory, but Russia and Iran are known to have close technical relations and a Russian computer security firm first discovered the Stuxnet virus. It is possible that the Iranians contracted this sort of project to a Russian computer lab.
A further tantalizing clue is that the hackers appear to have used files that were themselves infected by a computer virus. Given that Iran has been repeatedly struck by U.S. and Israeli cyberattacks, it’s possible that this might present evidence of Iranian origin, though virus attacks are so common that it could mean anything or nothing.
Another clue that the attack might come from Iran is that the first cybersecurity firm to detect it, Seculert, is Israeli. It’s noteworthy that no such Israeli firm played any public role in investigating Flame or Stuxnet. Most such Israeli companies maintain close contact with Israeli intelligence. I doubt they would get involved in this unless the IDF’s Unit 8200 or Mossad wanted them to do so.
One of the initial elements in the attack includes the display of a Daily Beast article by Eli Lake on–what else–Israel’s use of electronic warfare against Iran. I bet you hadn’t a clue how he was going to figure in this, did you? Personally, I think it befits his journalistic reputation as a cyber-cypher for Israeli intelligence. If Iranian interests generated this virus, then the joke’s on Lake as they might’ve been deliberately choosing to ridiculue him as the pro-Israel stooge that he is (here Lake publishes a feeble attempt at wit on finding out that his work is a critical part of the worm). The other possibility if the Iranians wrote this code is that they were seeking to entice Israelis to open and download it and a story by Lake about Israel’s prowess at penetrating Iran’s computer defenses would surely pique the interest of the Israeli targets. There’s also a delicious irony (at least for Iranians) in using an article like this to penetrate Israel’s computer defenses.
As for the Farsi contained in the code, if it wasn’t created by Iran, then Israeli intelligence could certainly have exploited either MEK dissidents or Iranian-Israelis fluent in the language to introduce it.