At least 109 UK machines have been targeted in what analysts say is one of the stealthiest cases of digital espionage ever, called ‘The Mask’. The campaign has been going for seven years, and appears to originate from a Spanish-speaking, possibly governmental, source.
The attacks have been ongoing since at least 2007, according to a Kaspersky report, which found 380 unique victims had been targeted across 31 countries.
Morocco was by far the biggest target, with 391 victim IP addresses. Brazil had 173, followed by 109 in the UK. Spain and France were also home to a large number of victims.
“In total, we observed over 1,000 victims’ IPs in 31 countries. We have also found traces of at least 380 different victim´s IDs according to attackers´ naming schema both in logs and sinkholed requests,” Kaspersky’s report read.
A number of factors pointed to a nation state sponsored effort. Exploits were launched against Java and Flash Player, and a number of malicious plugins for Chrome and Firefox, on Windows, Linux and OS X were also detected.
The Flash Player vulnerability used by the attackers was one uncovered in 2012 by exploit seller, VUPEN, which sells its findings to governments for offensive operations. It claims to only sell to NATO-based nations.
VUPEN’s chief Chaouki Bekrar told TechWeekEurope it was not certain his company sold details of the vulnerability to The Mask attackers. “There are many other talented researchers around the world who are able to analyse a security patch released by Adobe and figure out which flaws were fixed, and then create the corresponding exploits without the need of VUPEN’s assistance or original code,” Bekrar said.
Amongst the targets were activists, government bodies, embassies, and oil and gas firms.
Kaspersky believes the attackers are proficient Spanish speakers, but further attribution details have not been disclosed.
“For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on,” the report read.
The backdoor was called “Careto”, the Spanish word for “ugly face” or “mask”, whilst the malware itself was referred to as SGH. The SGH caught Kaspersky’s attention when it tried to subvert the company’s software, tricking it into whitelisting updates to the malware.
SGH, described as “an infinitely extensible attack platform”, can intercept network traffic and keystrokes, amongst other data, whilst snooping on Skype conversations. The malware also had the ability to siphon off all information from Nokia devices.
The malicious files were signed with a certificate from TecSystem, a Bulgarian entity, which Kaspersky suspects may be fake.
Given PGP keys used for encrypted email, VPN (virtual private network) configurations, SSH (secure shell) keys and RDP (remote desktop protocol) files were all targeted by the malware, it’s apparent The Mask hackers wanted to subvert privacy protections commonly used by businesses.
Two layers of encryption were used by the attackers for their command and control communications, using RSA keys. “This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign,” the Kaspersky report read.
The Mask crew also blacklisted a number of IPs used by security researchers, including Kaspersky Lab, Trend Micro and ESET.
Been keeping up with all the latest on Snowden and the NSA? Try our quiz!
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
View Comments
Morocco the first target ? A spanish speaking country ?
EASY : it's SPAIN.
Few years ago, in a poll, when asked what country in the world you fear most, spaniards answered Morocco with a large advance. Then you have Ceuta , Melilla and islands controlled by Spain in Morocco. Then you get Morocco being a major economic concurrent of Spain with the perfect example of the Tangier Med Port in north Morocco who killed the spanish ports activities in the Strait of Gibraltar.