The Mask – We reveal the most advanced cyberespionage operation in history


For over 5 years, a cybercriminal group, possibly supported by the government of an unidentified country, has been carrying out attacks on government agencies, embassies, diplomatic offices and companies from the energy industry. Their actions, exposed by Kaspersky Lab specialists, have already been hailed as one of the most advanced and global cyberespionage operations in history.

The action was revealed to the public earlier this week, during the annual Kaspersky Lab congress – Security Analyst Summit, which is taking place this year in the Dominican Republic. The threat was named „Careto” (from the word in the code), which means „ugly face” or „mask” in Spanish. This ambiguity introduces some discrepancy in interpretations among Spanish-speaking communities.

The Mask action can be of concern as it shows how highly skilled and educated cyber-espionage programmers develop, perfect their art, and generally infect, spy and steal more effectively in very specific and diverse environments. It is also scary that „The Mask” has been operating in secret, discreetly intercepting confidential data since 2007!   Costin Raiu , director of the Global Research and Analysis Team (GReAT), believes that if it had not been for an attempt to infect a patched vulnerability in an older version of one of Kaspersky Lab’s products with an exploit, corporate specialists would probably never have picked up on these global activities.

„Attempting to attack Kaspersky Lab products was not a wise move,” Raiu said in his presentation on The Mask.

Nevertheless, such extremely sophisticated, advanced and long-lasting ( APT ) attacks are designed to infect individual devices that have direct access to confidential networks – in this particular case those located in government agencies or energy companies. In other words, attackers are not interested in much of the population. Another reason you can breathe a sigh of relief is that a few hours after Kaspersky Lab’s Global Research and Analysis Team published the details of this action, whoever is responsible for the action abandoned them.

Kaspersky Lab specialists took over about 90 servers and domains used by the attackers. All of them were closed within four hours of the article being published, Raiu continues. Sinkholing – this is the name of the technique used by our researchers – is to neutralize and take control of network traffic generated by malware, and then redirect it to another location – away from the cybercriminal servers that drive the entire action.

However, Raiu says the cyber attackers can resume their operation quickly and will be back in the game in no time if they wish.

The Mask campaign is also notable for a couple of other reasons. First, despite the indications, it does not appear that China could have had anything to do with it (much of the attacks originated in that country). An interesting aspect is also the signals that the people who managed the entire action communicated in Spanish, which is new in the history of cyber attacks. However, when we take into account the statistics that say that the language is spoken by as many as 400 million people – second position behind Mandarin (the main dialect of the Chinese language) – this issue is no longer so surprising. The main targets of Maska’s attacks were Spanish-speaking institutions, but the actions of cybercriminals affected at least 30 countries.

Moreover, this well-organized group seems to have at least one additional version of malware in its arsenal for OS X hardware and even for iOS and Android mobile devices. According to Costin Raiu, at least one Moroccan victim’s device communicated with the criminals' infrastructure via 3G networks.

„These guys are better than the Flame APT group because they know how to effectively manage the infrastructure they have created,” Raiu said. “They are distinguished by their speed of action and professionalism that has never been seen before.

As a reference, I will use the example of the „Flame APT” group unmasked by Kaspersky Lab specialists in 2012. The attackers targeted their actions at the countries of the Middle East and in a rather sophisticated way they generated fake certificates that impersonated those coming directly from Microsoft.

As is most often the case, the people behind „The Mask” used targeted phishing e-mails that led victims to fake sites that were installing exploits that infect systems at that time. These pages were „riddled” with viruses.

Raiu pointed out that the aggressors had over a dozen different tools at their disposal, including implants that allowed the perpetrators to operate on victims' devices for a long time, intercept all TCP and UDP communication in real time, and remain invisible on the infected computer. Raiu confirmed that all communication paths between the victims and the cybercriminals' servers were encrypted.