Cyber-espionage campaign 'The Mask' uncovered

The threat has been in works since 2007, infected 380 targets

In a first, security solutions firm Kaspersky Lab has uncovered a cyber-espionage campaign that has been running from at least 2007. The threat called “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor, has been targeting government agencies, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists.

The ‘Mask’ has so far infected over 380 targets. Infections have been observed in Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.

The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment,” said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab.

The complexity and universality of the toolset used by the attackers makes this cyber-espionage operation very special, said the Lab. This includes leveraging high-end exploits, an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS). The Mask also used a customized attack against Kaspersky Lab’s products.