State-sponsored agents likely to be behind sophisticated 'Mask' malware - Kaspersky

Kaspersky uncovered cyber espionage tool which targeted governments for seven years

A new type of cyber security threat known as ‘The Mask' is so sophisticated, the most probable explanation for its existence is that it was created with the sponsorship of a nation-state.

The malicious software, also known as Careto, has been uncovered by Kaspersky Lab's security research team, who say it represents one of the most advanced global cyber-espionage operations to date.

It's believed the Spanish language malware has been in operation since 2007 and is responsible for hundreds of cyber attacks across at least 31 countries. The UK has experienced 109 of these unique attacks, making it the third most targeted country for The Mask.

The most frequent target for cyber criminals employing The Mask are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organisations and activists, with spear phishing emails the most common means for duping users into allowing criminals to gain access to networks.

The main objective of attackers using Careto - Spanish slang for ugly face - is to steal data from infected systems. That data includes encryption keys, VPN configurations, SSH keys, all of which can be used to identify users, along with RDP files, which can be used to remotely operate the infected computer.

What makes The Mask special is the complexity of the tools used to spread it by the cyber attackers. The toolkit includes the sophisticated malware, a rootkit, a bootkit and Mac OS X and Linux based versions of the software in addition to the standard Windows version. It's also possible that versions of it exist on Android mobile devices, as well as Apple products such as the iPhone and iPad.

It's that complexity that leads Kaspersky to believe The Mask might be the product of a government-backed cyber espionage scheme.

"Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack," said Costin Raiu, director of the global research and analysis team at Kaspersky Lab.

"From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules to using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment," he continued.

"This level of operational security is not normal for cyber-criminal groups," Raiu added, although he wasn't drawn on which nation-state might be behind The Mask or what the ultimate aim of the attacks could have been.

The campaign was active for five years up until January 2014, until 90 command-and-control (C&C) servers were shut down during Kaspersky Labs' investigation.