February 11, 2014
Kaspersky Labs Warns Of State-Sponsored Spanish Language Malware
Peter Suciu for redOrbit.com - Your Universe Online
On Monday security researchers at Kaspersky Labs announced the discovery of cyber-espionage malware, which may have targeted governments and companies in 31 countries. Dubbed “The Mask,” or “Careto,” it is believed to be one of the first Spanish language attacks to have been discovered – yet it may have been active since 2007.
The malware has been targeting government institutions including diplomatic offices and embassies, as well as energy companies (oil and gas), research facilities and even activist websites. Kaspersky said they found that victims have been uncovered in 31 countries around the world from the Middle East, Europe, Africa and the Americans.
In the Executive Summary of the report, Kaspersky noted: “The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name ‘Mask’ comes from the Spanish slang word ‘Careto’ (‘Ugly Face’ or ‘Mask’), which the authors included in some of the malware modules.”
It added that when active in a victim system, “The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations.”
The malware reportedly collects information from documents, and this can include encryption keys, VPN configurations, SSH keys and RDP files. More than 380 unique victims over the course of the last five years have been discovered.
The question now is who might be beyond the Mask? Kaspersky researchers believe this could be state-sponsored malware.
“Several reasons make us believe this could be a nation-state sponsored campaign,” said Costin Raiu, director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab. “First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment. This level of operational security is not normal for cyber-criminal groups.”
The Telegraph noted that the suspected involvement of a Spanish-speaking nation is most unusual, as past sophisticated cyber spying operations have been linked to the United States, China, Russia and Israel.
The researchers at Kaspersky believe the Mask has Spanish roots because of Spanish words found in the malware – notably “careto” – as well as slang terms. This could have been added to throw researchers off the trail, however.
“This is all speculation since these could be false flags,” Cesar Cerrudo, chief technology officer at security firm IOactive, told Mashable. “Others could have created the malware and put those strings on purpose to mislead — I wouldn’t discount that.”
While the malware did appear to use phishing emails that included links that pointed to Spanish news sites including El Mundo and El Pais, fake links also pointed to The Guardian, The Washington Post and Time. This suggests that the malware authors were going for a large target audience.
Whoever is behind The Mask so far has yet to be revealed.