On 17 July 2012, researchers at Kaspersky Labs and Seculert identified over 800 victims of a new cyber espionage campaign dubbed “Mahdi”. As I researched the information that was presented, I began to wonder if this was actually evidence of an Iranian sponsored or sanctioned cyber espionage event. I know, it’s an “out there” theory but when one considers how seriously the Iranian regime takes state security it's not that far-fetched. Besides, it’s not like we've seen anything fishy surrounding a certain digital certificate authorities, an ideological hacker and Iran within the last year. In the case of Mahdi, perhaps what we are witnessing is the Iranian people and their regional neighbors as the victims and the Iranian regime as the true perpetrator or sponsor of Mahdi as well as the ultimate benefactor of the accesses and stolen information.
The Iranian government has demonstrated it's willingness to domestically monitor it's citizens. Recent reports have highlighted that in December of 2010, China’s ZTE Corp had sold sophisticated surveillance technology to the Telecommunication Co of Iran (TCI). This technology is powerful enough to locate users, intercept voice, text messages, email, chat and web sessions throughout the entire country of Iran. TCI is partially owned by the Iranian government and reportedly tied to the Islamic Revolutionary Guards Corps. In March of 2012, Ayatollah Khamenei decreed the establishment of a Supreme Council of Virtual Space, which includes the Iranian president, the information and culture ministers, police and Revolutionary Guard. According to state television, the Supreme Council of Virtual Space would establish a national center to define policy, coordinate and make decisions regarding virtual space. The Iranian regime is well aware of the Internet and the threat it poses to internal security, this is why it is crucial they adopt technologies that allow for them to collect and control information. Thus maintaining the status quo.
Kaspersky and Seculert did a great job introducing Mahdi, so we thought we would enrich some of their technical analysis and suggest a few possible theories as to who may be responsible and also provide some geopolitical context as to what may be occurring.
If we visit the Kaspersky Mahdi blog posting you will note following:
All known compromised systems are known to communicate over HTTP with one of several web servers, such as: 174.142.57.* (3 servers) and 67.205.106.* (one server).
The 174.142.57.* Mahdi Infrastructure:
Based on our analysis, Cyber Squared found the same three servers Kaspersky alluded to within an Azerbaijani netrange. However, all three addresses fall within a very small netblock 174.142.57[.]24/29. This could possibly implicate other IP addresses within the netblock as well.
The consistent use of Azerbaijani networks as command and control nodes could be quite telling in the case of the Mahdi. Iranian and Azerbaijani relations have grown considerably colder in 2012. In January 2012, Azerbaijan security forces thwarted an attack on a Jewish school and linked the planned terror attack to Iran. Recently leaked details suggest that Azerbaijan has demonstrated a willingness to provide the U.S. and Israel access to airbases in support of a possible Iranian contingency. Most noteworthy, earlier this year Ali Abbasov, the Azerbaijani Minister of Communications and Information Technology, accused Iran of conducting cyber attacks against Azerbaijani government and news websites. Let's elaborate on a few additional findings:
- 174.142.57[.]27 was previously resolving to www[.]hatman[.]in a malicious Mahdi domain.
- 174.142.57[.]28 is statically embedded within the following Mahdi malware sample (MD5 1f14f6806757abf5cb357472f68cfd2c).
- 174.142.57[.]29 is statically embedded within two Dr. Web submissions here and here, also implicating it as part of the Mahdi infrastructure.
The 65.205.106.* Mahdi Infrastructure:
The Mahdi blog authors also mention that there is only one server within the 67.205.106/24 netrange but Cyber Squared identified that there are actually at least three confirmed Mahdi IP addresses, along with an unconfirmed, yet suspicious fourth:
All of the following IP addresses also fall within an Azerbaijani network:
- 67.205.106[.]66: An Azerbaijani IP address that recently resolved to the Mahdi domain manageweb[.]in prior to being sinkholed. It has previously been identified within JSUNPACK as malicious. Note the “/ALSK/khaki/Abi/UUUU.htm” path, which was also seen within the original Mahdi GET request example from the Seculert blog.
- 67.205.106[.]67: An Azerbaijani IP address that has been identified as being Mahdi infrastructure within JSUNPACK. The IP address is also currently hosting the domain mortaldl[.]com. The website for mortaldl[.]com has also been previously compromised by the DataIran Crew.
It is possible that the mortaldl[.]com is either maintained or used by the Iranian m0rtalkombat[.]com “Underground Security Team” which also maintains mortalkombat[.]ir and dl4hack[.]com. It is unclear if this group is related to the Mahdi attack but it's suspicious that an Iranian based hacker group just happens to have one of their websites hosted on the same IP address used in the Mahdi attacks. Perhaps this was by design, by motivating a semi-public, Iranian hacker group, either ideologically or financially, to conduct a targeted collection effort could allow for the Iranian government to dismiss or redirect claims of involvement to a handful of hackers operating independently.
- 67.205.106[.]68: An Azerbaijani IP address that had previously resolved to www.majakil[.]in before being sinkholed by security researchers as seen below.
- 67.205.106[.]194: An Azerbaijani IP address also considered suspicious at the moment, it resolves to the Iranian domains ns203.parsdev[.]net and ns204.parsdev[.]net. The parsdev[.]net, domains are configured to use “orderbox-dns[.]com” name servers in a similar manner as the Mahdi domains were origionally configured.
Who is Afson?
One of the key elements that tie the Mahdi infrastructure together is the “afs0000n@ymail[.]com” registrant email address. Note the reference to “Iran” and “No 7, emam st”, as well as “Yaser Mahoodi”, all of which carry an obvious Persian “theme”. In following with the Persian "theme", the "Yaser Mahoodi" reference may be an alternative spelling of the Persian musician Yaser Mahmoudi.
The “afs0000n@ymail[.]com” account is responsible for registering the following four malicious Mahdi domains:
The domain registration included the same Whois registration data:Registrant ID:DI_13575463 Registrant Name:Yasere Mahmoodi Registrant Organization:Indi Registrant Street1:no 7 , emam st Registrant Street2: Registrant Street3: Registrant City:Tehran Registrant State/Province:Zanjan Registrant Postal Code:0098 Registrant Country:IR Registrant Phone:+21.456777 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:email@example.com
The following “orderbox-dns[.]com” name servers were configured for the Mahdi domains, all of which also contained a reference to “afs0000n” and were most likely associated with a “afs0000n” user account within the Orderbox service.
A simple Google search for “afs0000n” reveals cached details associated with the Mahdi infrastructure, including references to “afs0000n[.]blogsky[.]com”. The website Blogsky[.]com is a free Persian weblog service.
The “afs0000n” blog, written in Persian, references the “Oppressed people of Baluchistan” and is “dedicated to the brothers engaged in jihad”. Baluchistan is a poor and desolate region within southeastern Iran that borders both Pakistan and Afghanistan. The blog also includes a single short blog entry by “Afson”, a possible original spelling for the alternate “afs0000n”, who claims to be a 27-year-old male in Iran.
A historic Whois entry from December of 2010 for the Mahdi domain manageweb[.]in includes the same registrar data for the malicious “afs0000n” Mahdi domains, except for the registrant email. In this case the registrant used the “yaser.mahoodi0@gmail[.]com” account. The registration information for “yaser.mahmoodi0@gmail[.]com” also uses the alternative spelling of a Persian musician “Yaser Mahmoudi”.Domain ID:D4661081-AFIN Domain Name:MANAGEWEB[.]IN Created On:21-Dec-2010 09:46:14 UTC Last Updated On:21-Dec-2010 09:53:55 UTC Expiration Date:21-Dec-2011 09:46:14 UTC Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant ID:DI_13575463 Registrant Name:Yasere Mahmoodi Registrant Organization:Indi Registrant Street1:no 7 , emam st Registrant Street2: Registrant Street3: Registrant City:Tehran Registrant State/Province:Tehran Registrant Postal Code:0098 Registrant Country:IR Registrant Phone:+21.25748512 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:yaser.mahmoodi0@gmail[.]com
Prior to being sinkholed, the Mahdi domain ieeei[.]in previously resolved to IP Address 91.98.48[.]81 (ParsOnline, Tehran, Iran), which also co-hosted www.miknalwindik[.]us. Since October of 2010, the www.miknalwindik[.]us domain has resolved to the following Iranian ParsOnline IP addresses: 91.98.48[.]93, 91.98.48[.]125, 91.99.196[.]35, recently changing resolutions to 91.98.48[.]81 in March 2012.
The Whois registration data for miknalwindik[.]us indicates that the domain was registered with the email address “pajoohesh.iauk@gmail[.]com”. The term “Pajoohesh” could possibly reference a variety of organizations or individuals, some with possible Iranian associations. The term “iauk” could be a reference to the Islamic Azad University, Kerman Branch “www.iauk.ac[.]ir. The university, located in the Kerman province, is also in southeastern Iran just west of the Sistan and Baluchistan provinces.Domain Name: MIKNALWINDIK[.]US Domain ID: D30559536-US Sponsoring Registrar: ENOM, INC. Domain Status: ok Registrant ID: 1CE66E143086188F Registrant Name: Saleh Mirzaie Registrant Address1: Lexington Registrant City: Lexington Registrant State/Province: KY Registrant Postal Code: 40502 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.85927065478 Registrant Email: pajoohesh.iauk@gmail[.]com Registrant Application Purpose: P3 Registrant Nexus Category: C12 Conclusion
The target distribution is one of the most telling factors to infer who is responsible for Mahdi. As more details emerge highlighting the distribution of the global Mahdi infections, we will gain information about the validity of an Iranian state sanctioned or sponsored hypothesis. One theory that may lead to differing conclusions between Symantec and Kaspersky, in terms of victim counts and targeted industries, may simply be an issue of market access and regional user acceptance of U.S. and Russian host based antivirus products within the Middle East, as one market is more likely to accept one solution over the other. The compromise of Iranian victims, Israeli victims, U.S. think tanks, consulates, government agencies and the energy sector could suggest that the Mahdi attackers were dual-hatted with both an internal state security function as well as a regional Intelligence collection mission.
In addition to the technical details highlighted in the original Kaspersky and Seculert postings, much of the identified Mahdi infrastructure consistently maintained a common Iranian nexus either directly or indirectly:
- The Mahdi Command and Control infrastructure was specifically used within Azerbaijan, a geographic location where both geopolitical and diplomatic fissures existed with Iran.
- The Mahdi domain registration metadata (both old and new) consistently maintained a common Iranian theme.
- The Mahdi IP Address 67.205.106[.]67 is associated with the mortaldl[.]com, which may suggest linkages to the Iranian m0rtalkombat[.]com “Underground Security Team”.
- The Mahdi domain ieeei[.]in has resolved to an Iranian Internet service provider since October of 2010.
- The username “Afson” aka “afs0000n” and email address “afs0000n@ymail[.]com” revealed secondary details of an individual familiar with the Persian language and culture, referencing the Baluchistan region.
- The terms “pajoohesh” and “iauk” within the “miknalwindik[.]us” registration email address may also suggest Iranian linkages.
All indicators available point to this malware and the targeted campaign associated with it being of probable Iranian origin. Even with possible Iranian personas associated with the attacks identified, there is no absolute smoking gun to the attribution. Mahdi was technically an unsophisticated targeted attack with sloppy operational tradecraft but regardless of sophistication level, it was clearly effective in that it successfully operated under the radar for months. Given the established precedent and rising tensions in the Middle East, we can assess with high confidence that targeted attacks within the region and against regional stakeholders will continue.