Security: Kaspersky researchers believe they have uncovered a cyber-espionage campaign that targeted strategic targets (381 victims in 31 countries) and dubbed “The Mask.” For the publisher, this campaign could be sponsored by “some states”.div
“The Mask, one of cyber-espionage campaigns most advanced ever discovered to date.” The announcement almost look like a trailer next American blockbuster. It is simply, but not sober, the discovery of which, according to Kaspersky akin to a campaign of sophisticated cyber attacks.
From the evidence collected by the editor security, cyber-espionage operations active would place since at least 2007 and until January 2014, the period from which the control servers Careto are disabled.
Embassies, labs and activists targeted
if Kaspersky talking about cyber-espionage is due very specific targets of these attackers, including language, unusual, would be Spanish. The publisher has identified more than 380 “unique victims” spread over 1,000 IP addresses in 31 different countries.
“The main targets are governments, diplomatic missions and embassies, oil, gas and energy companies, research laboratories and activists,” says Kaspersky.
nature of the stolen items also feeds the theory of cyber-espionage. The authors took possession of papers, but also encryption keys, SSH keys, VPN configurations or RDP files.
The editor also describes the operation of cyber-espionage “atypical by the complexity and universality of tools used by criminals.” Hackers have been particularly effective use of malware as Mac OS X and Linux, “and potentially versions for Android and iPad / iPhone (iOS). “
And if the Russian publisher is interested in “The Mask” is particularly because its own security products were targeted. To avoid being detected, attackers exploited a flaw security software corrected several years ago.
mode of infection, it is relatively straightforward at first sight. It is based on phishing emails or targeted spear-phishing. In messages were inserted links to a malicious Web site hosting various exploits “designed to infect visitors, depending on the system configuration. “
Once infected visitor, he was redirected to the healthy site to which the link included in the email was supposed to lead. The malware installed, it allowed “to intercept all communication channels and collect vital information from the infected system.”
“It is extremely difficult to detect because of a stealth rootkit. Careto is a highly modular system that supports plugins and configuration files. This allows it to perform many functions “further states Kaspersky.
analysis by the editor leads him to think that “this campaign could be sponsored by some states.” To support this hypothesis, researchers are particularly before “a very high degree of professionalism in operational procedures” group of pirates.
Another factor could further strengthen this hypothesis. In their conclusions, but not in the press release, the researchers say that the attacks have used at least one O-Day feat.
Bust: it was sold to governments by a French company VUPEN, which in 2013 was about her exploits for sale at NSA. A thinly veiled accusation badly received by the founder of Vupen Chaouki Bekrar.