Experts uncover 'most advanced' global cyber-espionage ops

'Threat likely developed by an unidentified nation-state'

MANILA, Philippines - A team of computer security experts based in Russia discovered the "most advanced" global cyber-espionage operations called "The Mask."

Kaspersky Lab security research team tracked The Mask and was led to its targets primarily of government institutions, diplomatic offices, embassies, companies offering energy, oil and gas, activist organizations as well as think tanks.

In a statement released by Kaspersky Southeast Asia, the firm said it has stopped The Mask's five-year operations in January by shutting down its command-and-control servers.

The experts described the powerful toolset rendered in the Spanish language as capable of monitoring government activities including those related to national security.

"[The Mask] includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone)," Kaspersky said.

Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky believes that the operations could be sponsored by a nation-state.

"First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files," he said.

Raiu explained that the attackers using The Mask aimed to gather sensitive data such as office documents and encryption keys from infected systems.

He said that The Mask also employs capabilities of highly sophisticated systems such as Duqu previously uncovered, making it "one of the most advanced threats at the moment."

"This level of operational security is not normal for cyber-criminal groups," Riau added, stressing that only a government could develop such a tool.

Discovery

Kasperky Lab researchers stumbled about The Mask almost by accident as it was examining a vulnerability in the company's anti-virus and malware products.

The Mask managed avoid detection as it attempted to intercept communication channel and collects data from over 380 unique computers across the globe.

Modus operandi

In its analysis report, Kasperky Lab experts noted how the cyber-spy system relies on e-mails with links to malicious website.

It also tries to make the sites look credible by using sub-domains of popular portals such as The Guardian and Washington Post.

"Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal," the report explained.