Cyberespionage operation 'The Mask' compromised organizations in 30-plus countries
IDG News Service - A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries.
Details about the operation were revealed Monday in a paper by security researchers from antivirus firm Kaspersky Lab who believe the attack campaign could be state sponsored.
The Kaspersky researchers dubbed the whole operation "The Mask," the English translation for the Spanish word Careto, which is what the attackers called their main backdoor program. Based on other text strings found in the malware, the researchers believe its authors are probably proficient in Spanish, which is unusual for an APT (advanced persistent threat) campaign.
"When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations," the Kaspersky researchers said in the research paper. "The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools."
Data found by investigating and monitoring a set of command-and-control (C&C) servers used by the attackers revealed more than 380 unique victims from 31 countries. The main targets of the operation are government institutions; embassies and other diplomatic missions; energy, oil and gas companies; research institutions; private equity firms and activists.
...
"Nation-state-level cyber-offensive operations can lurk in the dark for many years before being discovered and fully analyzed," said Igor Soumenkov, principal security researcher at Kaspersky Lab, via email. "Sometimes, samples are detected, but the researchers lack the data to make a 'big picture' out of it. With Careto, we tried not just to analyze the attack against Kaspersky products, but to understand what is the big picture."
Soumenkov believes the use of the Spanish language and the compilation date of the oldest sample suggest that state-sponsored attackers from countries other than China, Russia or the U.S. have been running cyberespionage attacks longer than previously thought.
http://www.networkworld.com/news/2014/021114-cyberespionage-operation-39the-mask39-compromised-278634.html