“If APT attackers are like chess players, Mask is the grandmaster” – Costin Raiu
Researchers have uncovered a sophisticated cyber spying operation that has been alive since at least 2007 and uses techniques and code that surpass any nation-state spyware previously spotted in the wild.
The attack, dubbed Careto, or “The Mask” by the researchers at Kaspersky Lab in Russia who discovered it, targeted government agencies and diplomatic offices and embassies, before it was dismantled last month. It also targeted companies in the oil, gas and energy industries, private equity firms, as well as research organizations and activists. They’ve successfully hacked organizations in 31 nations in the Middle East, Europe, Africa and the Americas. Kaspersky uncovered at least 380 victims, with the majority of the targets in Morocco and Brazil.
The attack — possibly from a Spanish-speaking country — used sophisticated malware, rootkit methods and a bootkit to hide and maintain persistence on infected machines.
Once Careto has compromised a system, it begins collecting sensitive information from it. The software can “intercept network traffic, keystrokes, Skype conversations, analyse WiFi traffic, PGP keys, fetch all information from Nokia devices, screen captures and monitor all file operations.”
The attackers sought not only to steal documents, but to steal encryption keys, data about a target’s VPN configurations, Adobe signing keys, and wiping and deleting other data on targeted machines.
The Mask also went after files with extensions that Kaspersky has not been able to identify yet. The Kaspersky researchers believe the extensions may be used by custom government programs, possibly for encryption.
“They are absolutely an elite APT [Advanced Persistent Threat] group; they are one of the best that I have seen,” Costin Raiu, director of Kaspersky’s Global Research and Analysis Team said at a conference here today. “Previously in my opinion the best APT group was the one behind Flame . . . these guys are better. The speed and professionalism is beyond . . . anything else that we’ve seen so far.”
Kaspersky found evidence that the attackers may be native Spanish speakers. The attack uses three backdoors, one of which the attackers named Careto, which means Mask in Spanish. Raiu said it’s the first APT malware they’ve seen with Spanish language snippets; usually, it’s Chinese.
Raiu was circumspect about what nation might be involved, noting that there are 21 Spanish speaking nations. “It could be any one of them,” he says. Careto’s controllers have gone through pains to remain undetected, unlike the Chinese hacking group known as APT1, which has been widely tracked for several years.
And the researchers note that the fragments of Spanish may be a “false flag” operation: The software’s authors may have deliberately inserted Spanish slang into the software’s source code to divert attention from the real authors.
Kaspersky believes the espionage operation belongs to a nation state because of its sophistication and because of an exploit the attackers used that the Kaspersky researchers believe may have been sold to the attackers by Vupen, a company in France that sells zero-day exploits to law enforcement and intelligence agencies.
“One of The Mask exploits was for CVE-2012-0773, a vulnerability discovered by VUPEN, a firm that sells exploits…” https://t.co/ONcr6qp3kS
— Mikko Hypponen (@mikko) February 10, 2014
Vupen sparked controversy in 2012 when they used the same vulnerability — then a zero-day — to win the Pwn2Own contest at the CanSecWest conference in Vancouver. The exploit Vupen designed allowed them to bypass the security sandbox in Google’s Chrome browser.
Vupen co-founder Chaouki Bekrar refused at the time to provide details about the vulnerability to Google, saying he would be withholding the information to sell to his customers.
Raiu says they don’t know for certain that the Mask attackers used the Vupen exploit to attack the Flash vulnerability, but the code is “really really sophisticated” and it’s highly unlikely that the attackers would have created their own separate exploit, he says.
Vupen today said the exploit was not theirs.
— Chaouki Bekrar (@cBekrar) February 10, 2014
The Mask attackers designed at least two versions of their malware – for Windows and Linux-based machines – but the researchers believe there may also be mobile versions of the attack for Android and iPhone/iPad devices, based on some evidence they uncovered.
They targeted victims through spear-phishing campaigns that included links to web pages where the malware loaded to their machines. In some cases, the attackers used familiar-seeming subdomains for their malicious URLs to trick victims into thinking they were visiting legitimate sites for the top newspapers in Spain or for the Guardian and Washington Post. Once the user was infected, the malicious web site redirected users to the legitimate site they sought.
— Mikko Hypponen (@mikko) February 10, 2014
Kaspersky discovered the operation last year when the attackers attempted to exploit a five-year-old vulnerability in a previous generation of Kaspersky’s security software that had long-ago been patched.
Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Raiu said that after the post was published, the Mask operators rolled up their campaign within about four hours.
“We observed a very high degree of professionalism in the operational procedures of the group behind this attack,” Raiu says. “From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment.”
However, Raiu said that the attackers could resurrect the operation without much trouble.
“They could come back very quickly if they wanted,” he said.
The emergence of the malware underscores that software-based espionage is an important new source of power. Last year, documents leaked by Edward Snowden revealed that the National Security Agency has a large “Tailored Access Operations” department dedicated to building offensive hacking capabilities. If the NSA didn’t build Careto, it’s a safe bet that they have something like it. And intelligence agencies in China, Russia and other great powers are likely working on software like it too.