A security firm has discovered a new, highly sophisticated spy operation launched by a group of nation-state hackers that has infected more than 380 high-profile targets in 31 countries — and for once, China might not be the No. 1 suspect behind the attacks.
The hackers seem to be Spanish-speaking, which is unique in this kind of operation; it's often attributed to Chinese or Russian hackers working for their own governments. The operation, called The Mask, is one of the most — if not the most — sophisticated cyberespionage campaigns ever seen, according to the researchers at Kaspersky Lab who uncovered it.
See also: Cybersecurity Simplified: A Reality Check for the Digital Age
To the Kaspersky researchers, the hackers behind The Mask were even more effective than the hacker behind Flame, a complex malware campaign against Iranian computers discovered in 2012.
"The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far," said Costin Raiu, one of the researchers who worked on The Mask report, at the Kaspersky Security Analyst Summit on Monday, according to Threatpost.
In fact, The Mask is "one of the most advanced threats at the moment,"" the researchers wrote in the paper detailing their findings.
Kaspersky researchers believe that the hackers have Spanish roots because of Spanish words found in the malware, such as careto, which means "mask" in Spanish (hence the name of the operation). They also found slang terms like Caguen1aMar, a contraction for "me cago en la mar" — a common expletive that literally means "I sh*t in the sea" but roughly translates to "f*ck." However, the hackers might have planted these clues to send investigators off track, warned observers and Kaspersky experts.
"This is all speculation since these could be false flags," Cesar Cerrudo, chief technology officer at security firm IOactive, told Mashable. "Others could have created the malware and put those strings on purpose to mislead — I wouldn't discount that."
But other breadcrumbs point toward Spain or a Spanish-speaking country as the origin of the hackers. To install the malware on the targets' computers, the hackers used phishing emails that included malicious links that seemed to point to news websites, most of them Spanish dailies like El Mundo and El Pais. But they also included fake links to The Guardian, The Washington Post and Time.
The hackers targeted government agencies, embassies, energy companies and research institutions — all common victims of a nation-sponsored operation.
What was uncommon — and what leads Raiu and his colleagues to call this the most advanced cyberespionage campaign ever seen (and they have uncovered a number of them, including Red October, MiniDuke and NetTraveler — is the sophistication level of some of the malware used in The Mask.
Once a target clicked on the malicious link and visited a website created by the hackers, the malware would monitor the target's browsing activities, record keystrokes, intercept Skype conversations, steal files and even encryption keys. These keys, for example, could be used to decipher the target's encrypted emails. The malware was also designed to steal files with unknown and uncommon extensions that could be custom military or government encrypted files.
The malware worked not only on Windows PCs, but also on computers running on MacOS, Linux. Researchers even believe the malware could infect iPhones and Android phones, but could not verify this.
Interestingly, the researchers found that the hackers used an exploit in Adobe's Flash Player, initially found by Vupen, a French company that sells hacking tools and vulnerabilities that allow governments and law enforcement agencies to install malware on their targets' computers.
However, Chaouki Bekrar, Vupen's CEO and lead researcher, denied invovlement with the malware.
"The exploit is not ours," he tweeted.
Researchers found evidence that the operation started in 2007, but all the infrastructure supporting it was shut down last week, just four hours after Kaspersky posted a short blog post with very few details about The Mask. Jaime Blasco, the director of security firm AlienVault Labs, told Mashable that it's an "incredible quick reaction."
Have something to add to this story? Share it in the comments.