'Mask' spying campaign unmasked

2014-02-11 11:00
Kaspersky Lab does analysis of malware threats at its offices in Moscow. (Duncan Alfreds, News24)

Kaspersky Lab does analysis of malware threats at its offices in Moscow. (Duncan Alfreds, News24)

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

kalahari.com

Punta Cana - A computer security software firm has uncovered what it calls the first cyber espionage campaign believed to be started by a Spanish-speaking country, targeting government agencies, energy companies and activists in 31 countries.

Dubbed "The Mask", the campaign had operated undetected since 2007 and infected more than 380 targets before it stopped last week, Moscow-based Kaspersky Lab said on Monday.

The firm declined to identify the government suspected to be behind the cyber spying, but said it had been most active in Morocco, followed by Brazil, the UK, France and Spain.

The suspected involvement of a Spanish-speaking nation is unusual as the most sophisticated cyber spying operations uncovered so far have been linked to the US, China, Russia and Israel. Those nations have been said to be behind the Duqu, Gauss and Flame malware, for example.

Kaspersky Lab said the discovery of The Mask suggests that more countries have become adept in internet spying. The firm's researchers only came across the operation because it infected Kaspersky's own software.

Spying operation

"There are many super-advanced groups that we don't know about. This is the tip of the iceberg," Costin Raiu, director of Kaspersky's global research team, said in an interview on the sidelines of a conference sponsored by his company in the Dominican Republic.

Raiu said The Mask hit government institutions, oil and gas companies and activists, using malware that was designed to steal documents, encryption keys and other sensitive files, as well as take full control of infected computers.

The operation infected computers running Microsoft's Windows and Apple's Mac software, and likely mobile devices running Apple's iOS and Google's Android software, according to Kaspersky Lab.

The companies did not immediately respond to requests for comment.

Kaspersky Lab said it worked with Apple and other companies last week to shut down some of the websites that were controlling the spying operation.

The Russian-based company named the operation "The Mask" for the translation of the Spanish word "Careto", which appears in the malware code.

Among other things, The Mask hackers took advantage of a known flaw in Adobe Systems' ubiquitous Flash software that permitted attackers to get from Google's Chrome web browser into the rest of a target's computer, Raiu said. Adobe fixed the flaw in 2012, he said.

Government clients

A spokesperson for Adobe confirmed that the company released an update to Flash in April 2012 that fixed the vulnerability. She declined to comment on Kaspersky Lab's research on The Mask.

Raiu said The Mask attackers may have been aided by a booming grey market for undisclosed software flaws and the tools for exploiting them, known as "Zero day" exploits because the makers of affected software have no notice of the danger. Buyers of zero days often leave the software vulnerabilities unfixed in order to deploy spy software.

The Flash flaw had been uncovered in 2012 by a Paris-based company called Vupen, which specialises in finding such weaknesses. Vupen revealed the vulnerability at a hacking competition that year, but did not demonstrate how it can be exploited. Instead, Vupen said it would sell its research to its government clients.

Kaspersky Lab said The Mask was one of the few internet spying campaigns exposed to date that appear to have links to a zero day sale. Vupen Chief Executive Chaouki Bekrar disputed any connection to his company.

"Believe it or not, but there are many other companies selling zero days," Vupen said via e-mail.

Security experts have become increasingly concerned about the zero day market, where governments including the US are active buyers. A former top US cyber security official, Richard Clarke, said that deliberately leaving vulnerabilities unfixed puts US assets at risk.

Liam O'Murchu, a researcher at Symantec, said it was difficult to know who was behind The Mask.

"Just looking at the targets, it is not obvious who would want to target them; there is no obvious pattern," O'Murchu said via e-mail. "The code is professionally written, but it's even difficult to say whether it is written by a government or by a private company that sells this type of software."

Read more on:    cybercrime
NEXT ON NEWS24X

Read News24’s Comments Policy

24.com publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
0 comments
Add your comment
Comment 0 characters remaining
 

Inside News24

 
 

Marikana ANC office burnt down

A shack used an ANC branch office has been set alight at Nkaneng informal settlement in Wonderkop near Marikana.

 
 

Latest elections multimedia

Watch what happened when we blindfolded Helen Zille and asked her to eat random things
13 days to elections - news you need to know
11 Julius Malema quotes you'll never forget
DA won't get 30% - Zille
 
Traffic
Lottery
 
  • Tuesday Century City - 05:58 AM
    Road name: Ratanga Road Southbound
    ROADWORKS - lane closure between Ocean Spirit Avenue and Century Boulevard (until mid April)
  • Tuesday Mitchells Plain - 05:58 AM
    Road name: Spine Road
    ROAD CLOSED between Weltevreden Drive and Seafarer Drive due to roadworks (until mid April)
 
More traffic reports...
 

Jobs in Cape Town [change area]

Property [change area]

Travel - Look, Book, Go!

Escape winter, head to Mauritius

Escape winter by spending 7 nights in Mauritius' tropical bliss from R13 215 per person sharing. Includes return flights, airport transfers and accommodation. Book now!

Kalahari.com - shop online today

Mother’s Day special offers!

Spoil mom with these awesome specials that will warm her heart. Shop now!

Twisp – the smoking alternative

Buy any 2 refills for R250 and save R149. Offer valid while stocks last. Shop now!

25% off bestselling books!

The Real Meal Revolution by Tim Noakes, Jeffrey Archer’s Be Careful What You Wish for, Man’s Search for Meaning by Victor E. Frank and many more titles. Shop now!

Mother’s Day specials on appliances

Browse our range of Mother’s Day appliances to spoil and pamper mom. Offer valid while stocks last. Shop now!

DStv HD PVR Decoder now R949

The DStv HD PVR Decoder has further revolutionised the television experience with lifelike viewing, sharper images, more vibrant colours and precision picture quality. Now R949, save R550. Offer valid while stocks last. Shop now!

OLX Free Classifieds [change area]

Samsung Galaxy s4

Mobile, Cell Phones in South Africa, Western Cape, Cape Town. Date October 24

Best bargain in big bay

Real Estate, Houses - Apartments for Sale in South Africa, Western Cape, Cape Town. Date October 25

VW Golf 6, 1.6 Trendline (Excellent condition)

Vehicles, Cars in South Africa, Western Cape, Cape Town. Date October 25

Samsung Galaxy Y

The Samsung Y (Young) is tiny but powerful with Android...

From R1499.00

I'm shopping for:

Horoscopes
Aquarius
Aquarius

You may be more sensitive today and can be influenced easily by the energies around you. Try not to be swayed too much by the...read more

There are new stories on the homepage. Click here to see them.
 
English
Afrikaans
isiZulu

Hello 

Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.


Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.

Settings

Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.








Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.