Researchers uncover cyber spying campaign dubbed "The Mask"

PUNTA CANA, Dominican Republic Tue Feb 11, 2014 2:41am IST

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.

Credit: Reuters/Kacper Pempel/Files

Related Topics



PUNTA CANA, Dominican Republic (Reuters) - A computer security software firm has uncovered what it calls the first cyber espionage campaign believed to be started by a Spanish-speaking country, targeting government agencies, energy companies and activists in 31 countries.

Dubbed "The Mask," the campaign had operated undetected since 2007 and infected more than 380 targets before it stopped last week, Moscow-based Kaspersky Lab said on Monday.

The firm declined to identify the government suspected to be behind the cyber spying, but said it had been most active in Morocco, followed by Brazil, the United Kingdom, France and Spain.

The suspected involvement of a Spanish-speaking nation is unusual as the most sophisticated cyber spying operations uncovered so far have been linked to the United States, China, Russia and Israel. Those nations have been said to be behind the Duqu, Gauss and Flame malware, for example.

Kaspersky Lab said the discovery of The Mask suggests that more countries have become adept in Internet spying. The firm's researchers only came across the operation because it infected Kaspersky's own software.

"There are many super-advanced groups that we don't know about. This is the tip of the iceberg," Costin Raiu, director of Kaspersky's global research team, said in an interview on the sidelines of a conference sponsored by his company in the Dominican Republic.

Raiu said The Mask hit government institutions, oil and gas companies and activists, using malware that was designed to steal documents, encryption keys and other sensitive files, as well as take full control of infected computers.

The operation infected computers running Microsoft Corp's (MSFT.O) Windows and Apple Inc's (AAPL.O) Mac software, and likely mobile devices running Apple's iOS and Google Inc's (GOOG.O) Android software, according to Kaspersky Lab.

The companies did not immediately respond to requests for comment.

Kaspersky Lab said it worked with Apple and other companies last week to shut down some of the websites that were controlling the spying operation.

The Russian-based company named the operation "The Mask" for the translation of the Spanish word "Careto," which appears in the malware code.

Among other things, The Mask hackers took advantage of a known flaw in Adobe Systems Inc's (ADBE.O) ubiquitous Flash software that permitted attackers to get from Google's Chrome web browser into the rest of a target's computer, Raiu said. Adobe fixed the flaw in 2012, he said.

A spokeswoman for Adobe confirmed that the company released an update to Flash in April 2012 that fixed the vulnerability. She declined to comment on Kaspersky Lab's research on The Mask.

Raiu said The Mask attackers may have been aided by a booming grey market for undisclosed software flaws and the tools for exploiting them, known as "zero-day" exploits because the makers of affected software have no notice of the danger. Buyers of zero-days often leave the software vulnerabilities unfixed in order to deploy spy software.

The Flash flaw had been uncovered in 2012 by a Paris-based company called Vupen, which specializes in finding such weaknesses. Vupen revealed the vulnerability at a hacking competition that year, but did not demonstrate how it can be exploited. Instead, Vupen said it would sell its research to its government clients.

Kaspersky Lab said The Mask was one of the few Internet spying campaigns exposed to date that appear to have links to a zero-day sale. Vupen Chief Executive Chaouki Bekrar disputed any connection to his company.

"Believe it or not, but there are many other companies selling zero-days," Vupen said via email.

Security experts have become increasingly concerned about the zero-day market, where governments including the United States are active buyers. A former top U.S. cybersecurity official, Richard Clarke, says that deliberately leaving vulnerabilities unfixed puts U.S. assets at risk.

Liam O'Murchu, a researcher at Symantec Corp (SYMC.O), said it was difficult to know who was behind The Mask.

"Just looking at the targets, it is not obvious who would want to target them; there is no obvious pattern," O'Murchu said via email. "The code is professionally written, but it's even difficult to say whether is it written by a government or by a private company that sells this type of software."

(Reporting by Jim Finkle and Joseph Menn; Editing by Tiffany Wu and Grant McCool)



2015: India Outlook

2015: India Outlook

India in 2014: A dream run for markets  Full Article 

Funding Woes

Funding Woes

Co-founder of SpiceJet seeks time to finalise rescue  Full Article 

Regulating Airfares

Regulating Airfares

India considers temporary cap on airfares - government official  Full Article 

Flying Back on Course

Flying Back on Course

The inside story of the new Airbus A350 jet  Full Article 

Oil Price Forecast

Oil Price Forecast

Oil prices likely to rebound in second half of 2015: poll  Full Article 

Cyber Attacks

Cyber Attacks

China condemns cyberattacks, but says no proof N.Korea hacked Sony  Full Article 

Connecting Markets

Connecting Markets

China stock connect scheme scorecard throws up surprises  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device  Full Coverage