The Inquirer-Home

Kaspersky Lab unmasks a global cyber espionage toolkit

Security firm peels back The Mask
Tue Feb 11 2014, 11:27

RUSSIAN SECURITY FIRM Kaspersky Lab has detected a Spanish speaking cyber spook kit that has been around and in use since 2007.

The security firm announced its discovery of "The Mask" in a blog post and dissected it in a report, calling it "one of most advanced global cyber-espionage operations" it has ever seen.

The Mask was built by Spanish speaking attackers (PDF), it said, and was used to target enterprises like oil, gas and other utility companies.


"What makes 'The Mask' special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone)," it said.

"The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organisations and activists. Victims of this targeted attack have been found in 31 countries around the world - from the Middle East and Europe to Africa and the Americas."

The Mask draws its name from the word "Careto" - Spanish for mask - which is found in the code, but the use of Spanish is rare in advanced persistent threats, according to the firm. The Mask infiltrates systems through spear phishing attacks and poisoned links. Kaspersky has spotted it in over 30 countries, including the UK, China and the US.

Kaspersky said that this is likely a state sponsored attack, due to the sophisticated methods and data extraction skills it displays, but it didn't point any fingers. The most attacked countries are Morocco with 384 unique attacks and Brazil with 173. The UK is third with 109.

"Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack," said Costin Raiu, director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab.

"From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules to using wiping instead of deletion of log files. These combine to put this [Advanced Persistent Threat] ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment. This level of operational security is not normal for cyber-criminal groups." µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?