A newly uncovered cyber-spying attack has old Spanish oath embedded in its code


The cyber-spying attack has carefully selected its more than 1,000 victims in 31 countries, including Cuba.

Who is behind The Mask?

Is a nation-state behind one of the most sophisticated cyber-spying attacks ever seen? Is the attack really the work of a Spanish speaker? Or was a vulgar Spanish oath mixed into its 0s and 1s just to mislead any digital detectives?

Why did it specifically target 46 computers in Cuba? Why are so many of the victims in Morocco and Brazil of the attack known as The Mask? And although its targeting of governments and enterprises is understandable, why did it also target “activists?”

Those and many other questions remain unanswered even though Kaspersky Lab, the Russian computer security company that first spotted the spyware, has autopsied its inner workings and published a 65-page report to drive a stake through its heart.

Kaspersky said it believes the cyber spying attack is the work of a government because of its sophistication and the professionalism of its operational procedures, such as erasing its tracks and rejecting probes from known cyber-sleuths.

Active since 2007, the spyware uses two layers of encryption and scans for several file-name extensions that Kaspersky said are unknown but could be related to military or government-level encryption tools.

“These combine to … making it one of the most advanced threats at the moment. This level of operational security is not normal for cyber-criminal groups,” said Costin Raiu, head of the company’s Global Research and Analysis Team, in announcing its findings.

The Mask is designed to intercept virtually all digital information, including Internet, Skype and Wi-Fi traffic, keystrokes, screen captures and even encryption keys for PGP, a publicly available encryption system, according to Kaspersky’s Feb. 10 report.

But it carefully selects its victims: not just anybody who stumbles into its trap but government institutions, embassies, think tanks, private equity firms, energy, oil and gas companies and “activists,” the report noted.

The “activists” were not further identified in the report, although Kaspersky Lab expert Dmitry Bestuzhev said in an email to El Nuevo Herald that “in some cases it could be human rights.”

Kaspersky said it has found more than 1000 victims, many of them in Morocco and Brazil but others in Algeria, Argentina, Belgium, Bolivia, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Norway, Pakistan, Poland, Spain, South Africa, Switzerland, Tunisia, Turkey, United Kingdom, the United States and Venezuela.

Perhaps the most unusual feature of The Mask are the many hints within its code that it was the work of a Spanish speaker — the first instance ever seen of Spanish words mixed in within a top-level spyware, according to the company’s report.

One part of the code includes the word Careto, Spanish for mask or ugly face and the source of Kaspersky’s name for the attack. Another uses the word “Pruebas” — Spanish for Tests and a third uses “recetas” — recipes.

What’s more, the spyware’s configuration also included the term “Caguen1aMar” a contraction for a traditional curse in Spain, “Me cago en la mar,” the company reported. That roughly translates as “I defecate on the sea.”

The Mask also snagged many of its victims when they visited malicious web pages designed to look like part of the Spanish newspapers El País and El Mundo, the company said, as well as pages mimicking the Washington Post and the Guardian in London.

Kaspersky did not point a finger at any government or person, noting that Spanish is spoken in 21 countries and even in Miami. “We should also not exclude the possibility of a false flag operation, where the attackers intentionally planted Spanish words in order to confuse analysis,” Bestuzhev wrote.

The company found that The Mask had infected three separate institutions in Cuba and compromised a total of 46 computers on the island, the Russian expert added, as well as one institution in Venezuela. Kaspersky did not identify any of the entities infected.

All spyware attacks “look for very specific information. The victim is carefully selected,” Bestuzhev said. “That essentially means Careto attackers were interested in something specific located in those machines and in those countries.”

The attack operated though “spear-phishing” — emails that would lure the recipients to the fake newspaper and other pages. The spyware would offload critical and security information and then forward the recipients quickly to real pages that would arouse no suspicions.

Kaspersky said it had confirmed The Mask attacked Windows and Linux-based computers and suspects there are versions for iPhone/iPad and Android devices. Some of the servers involved appeared to have addresses in Dallas, Panama, Costa Rica, Argentina, Austria, Singapore, Malaysia and the Czech Republic.

The company discovered The Mask last year when it tried to attack one of Kaspersky’s security programs. It also had discovered Flame, one of the most advanced cyber-spying tools until The Mask came along, in 2012.

Kaspersky said it was able to “sinkhole” several command and control (C&C) servers for The Mask — taking them over in order to disrupt the flow of malicious traffic and peek into the spyware’s inner workings.

The attackers began taking the servers offline last month, it said, and all known C&C servers for The Mask are now offline. But the company said it could not rule out a return of the attack down the road.

Read more Cuba stories from the Miami Herald

Sixteen migrants are found crammed in this tiny boat around Alligator Lighthouse, which is about four miles offshore of Islamorada in the FLorida Keys.


    More than a dozen Cuban migrants rescued at sea in Keys; several taken to hospital

    A small blue homemade boat with a blue-and-white sail was discovered floating near Alligator Reef Lighthouse, about four miles offshore of Islamorada, on Wednesday. Crammed inside the motorless vessel were 16 Cuban migrants lying down, suffering from dehydration, according to the U.S. Coast Guard.

Elsa Lopez looks at her clothes and shoes she wore when she left Cuba with her parents at the age of two at the time. Her items are among several donated by Exiles on display at the VIP opening and presentation of the The Exile Experience: Journey to Freedom, at the Freedom Tower. The exhibit is a pictorial account of the struggles that the Cuban exile community has endured since Fidel Castro's rise to power, and the successes they have achieved in the United States, organized and curated by the Miami Dade College and The Miami Herald, on Wednesday September 10, 2014.


    Exhibition chronicles Cuban exiles story

    More than 1,000 people crammed into the Freedom Tower Wednesday night for a peek at an exhibition that honors one of the city’s oldest buildings – and captures the tales of hundreds of thousands of Cubans who fled the island and made Miami their new home.

This is the raft on which 16 Cubans sailed from Cuba to Alligator Reef Light off Upper Matecumbe Key this week.


    Cuban migrants found suffering from dehydration off the Keys

    Sixteen Cuban migrants were intercepted off the Upper Keys on Wednesday afternoon, and seven of them needed medical attention after suffering from extreme dehydration.

Miami Herald

Join the

The Miami Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere on the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

The Miami Herald uses Facebook's commenting system. You need to log in with a Facebook account in order to comment. If you have questions about commenting with your Facebook account, click here.

Have a news tip? You can send it anonymously. Click here to send us your tip - or - consider joining the Public Insight Network and become a source for The Miami Herald and el Nuevo Herald.

Hide Comments

This affects comments on all stories.

Cancel OK

  • Marketplace

Today's Circulars

  • Quick Job Search

Enter Keyword(s) Enter City Select a State Select a Category