One of the Most Advanced Global Cyber-espionage Operations: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims

[

Print ] [ email ] T | T

Cybersecurity News > One of the Most Advanced Global Cyber-espionage Operations: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims

One of the Most Advanced Global Cyber-espionage Operations: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims

February 13, 2014

"New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit: Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers"

Today Kaspersky Lab’s security research team announced the discovery of "The Mask" (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas.

The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).

Main findings:

The authors appear to be native in the Spanish language which has been observed very rarely in APT attacks.
The campaign was active for at least five years until January 2014 (some Careto samples were compiled in 2007). During the course of Kaspersky Lab’s investigations, the command-and-control (C&C) servers were shut down.
We counted over 380 unique victims between 1000+ IPs. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
The complexity and universality of the toolset used by the attackers makes this cyber-espionage operation very special. This includes leveraging high-end exploits, an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS). The Mask also used a customized attack against Kaspersky Lab’s products.
Among the attack’s vectors, at least one Adobe Flash Player exploit (CVE-2012-0773) was used. It was designed for Flash Player versions prior to 10.3 and 11.2. This exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest.

For more details, kindly refer to this document and visit Kasperky’s website on the following link.

Advanced Search

March 26, 2024
21 Cybersecurity Tips and Best Practices for Your Business

September 01, 2022
Montenegro blames criminal gang for cyber attacks on government

July 28, 2022
The 65 Biggest Data Breaches

June 27, 2022
Top 10 Internet Safety Rules and What Not to Do Online

» more News

Follow us on