Who is behind The Mask?
Is a nation-state behind one of the most sophisticated cyber-spying attacks ever seen? Is the attack really the work of a Spanish speaker? Or was a vulgar Spanish oath mixed into its 0s and 1s just to mislead any digital detectives?
Why did it specifically target 46 computers in Cuba? Why are so many of the victims in Morocco and Brazil of the attack known as The Mask? And although its targeting of governments and enterprises is understandable, why did it also target “activists?”
Those and many other questions remain unanswered even though Kaspersky Lab, the Russian computer security company that first spotted the spyware, has autopsied its inner workings and published a 65-page report to drive a stake through its heart.
Kaspersky said it believes the cyber spying attack is the work of a government because of its sophistication and the professionalism of its operational procedures, such as erasing its tracks and rejecting probes from known cyber-sleuths.
Active since 2007, the spyware uses two layers of encryption and scans for several file-name extensions that Kaspersky said are unknown but could be related to military or government-level encryption tools.
“These combine to … making it one of the most advanced threats at the moment. This level of operational security is not normal for cyber-criminal groups,” said Costin Raiu, head of the company’s Global Research and Analysis Team, in announcing its findings.
The Mask is designed to intercept virtually all digital information, including Internet, Skype and Wi-Fi traffic, keystrokes, screen captures and even encryption keys for PGP, a publicly available encryption system, according to Kaspersky’s Feb. 10 report.
But it carefully selects its victims: not just anybody who stumbles into its trap but government institutions, embassies, think tanks, private equity firms, energy, oil and gas companies and “activists,” the report noted.
The “activists” were not further identified in the report, although Kaspersky Lab expert Dmitry Bestuzhev said in an email to El Nuevo Herald that “in some cases it could be human rights.”
Kaspersky said it has found more than 1000 victims, many of them in Morocco and Brazil but others in Algeria, Argentina, Belgium, Bolivia, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Norway, Pakistan, Poland, Spain, South Africa, Switzerland, Tunisia, Turkey, United Kingdom, the United States and Venezuela.
Perhaps the most unusual feature of The Mask are the many hints within its code that it was the work of a Spanish speaker — the first instance ever seen of Spanish words mixed in within a top-level spyware, according to the company’s report.
One part of the code includes the word Careto, Spanish for mask or ugly face and the source of Kaspersky’s name for the attack. Another uses the word “Pruebas” — Spanish for Tests and a third uses “recetas” — recipes.
What’s more, the spyware’s configuration also included the term “Caguen1aMar” a contraction for a traditional curse in Spain, “Me cago en la mar,” the company reported. That roughly translates as “I defecate on the sea.”
The Mask also snagged many of its victims when they visited malicious web pages designed to look like part of the Spanish newspapers El País and El Mundo, the company said, as well as pages mimicking the Washington Post and the Guardian in London.
Kaspersky did not point a finger at any government or person, noting that Spanish is spoken in 21 countries and even in Miami. “We should also not exclude the possibility of a false flag operation, where the attackers intentionally planted Spanish words in order to confuse analysis,” Bestuzhev wrote.
The company found that The Mask had infected three separate institutions in Cuba and compromised a total of 46 computers on the island, the Russian expert added, as well as one institution in Venezuela. Kaspersky did not identify any of the entities infected.
All spyware attacks “look for very specific information. The victim is carefully selected,” Bestuzhev said. “That essentially means Careto attackers were interested in something specific located in those machines and in those countries.”
The attack operated though “spear-phishing” — emails that would lure the recipients to the fake newspaper and other pages. The spyware would offload critical and security information and then forward the recipients quickly to real pages that would arouse no suspicions.
Kaspersky said it had confirmed The Mask attacked Windows and Linux-based computers and suspects there are versions for iPhone/iPad and Android devices. Some of the servers involved appeared to have addresses in Dallas, Panama, Costa Rica, Argentina, Austria, Singapore, Malaysia and the Czech Republic.
The company discovered The Mask last year when it tried to attack one of Kaspersky’s security programs. It also had discovered Flame, one of the most advanced cyber-spying tools until The Mask came along, in 2012.
Kaspersky said it was able to “sinkhole” several command and control (C&C) servers for The Mask — taking them over in order to disrupt the flow of malicious traffic and peek into the spyware’s inner workings.
The attackers began taking the servers offline last month, it said, and all known C&C servers for The Mask are now offline. But the company said it could not rule out a return of the attack down the road.