Cyberespionage operation 'The Mask' compromised organizations in 30-plus countries
The attack campaign is highly sophisticated and bears the marks of a state-sponsored operation, the researchers said
IDG News Service - A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries.
Details about the operation were revealed Monday in a paper by security researchers from antivirus firm Kaspersky Lab who believe the attack campaign could be state sponsored.
The Kaspersky researchers dubbed the whole operation "The Mask," the English translation for the Spanish word Careto, which is what the attackers called their main backdoor program. Based on other text strings found in the malware, the researchers believe its authors are probably proficient in Spanish, which is unusual for an APT (advanced persistent threat) campaign.
"When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations," the Kaspersky researchers said in the research paper. "The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools."
Data found by investigating and monitoring a set of command-and-control (C&C) servers used by the attackers revealed more than 380 unique victims from 31 countries. The main targets of the operation are government institutions; embassies and other diplomatic missions; energy, oil and gas companies; research institutions; private equity firms and activists.
Victims were targeted using spear-phishing emails with links leading to websites that hosted exploits for Java and Adobe Flash Player, as well as malicious extensions for Mozilla Firefox and Google Chrome. The URLs used were meant to impersonate the websites of popular newspapers, many in Spanish, but also The Guardian, The Washington Post and The Independent.
Historical data collected from debug logs accessible on C&C servers showed that more than 1,000 victim IP (Internet Protocol) addresses had connected to them. The top five countries by victim IP address count were Morocco, Brazil, the U.K., Spain and France.
Kaspersky was also able to redirect the domain names for some of the C&C servers to a server under its control -- an operation known as sinkholing -- in order to gather statistics and collect more accurate information about the locations of current victims. The active monitoring of connections to the sinkhole server showed a different distribution by country, but Spain, France and Morocco remained in the top 5 by both IP address count and unique victim IDs.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- BlackBeard Case Study In this case study, learn how a business with 95% of revenues generated online was hit by DDoS attacks over a 6-month period,...
- Four Ways DNS Can Accelerate Business Growth This e-book describes how DNS has developed over the years to support business growth as new needs have emerged, for example, advanced traffic...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Network Security White Papers | Webcasts