Spy Outfit Has Infiltrated More Than 380 Victims in 31 Countries Since 2007

Advanced secret spy organization called "The Mask" has used a sophisticated form of malware to infiltrate governments and universities, among others, for the last seven years.


Governments. Embassies. Energy companies. Universities. Activists.

They've all been victims of what researchers are calling one of the most advanced cybersecurity threats they've ever seen.

On Monday, a Kaspersky Lab security research team released details about a secretive organization called The Mask. At a security analyst summit, the researchers said the group has evolved into a nation-state spying tool and has been operating since at least 2007.

The group appears to be Spanish speaking and goes by the name Careto (which means "ugly face" or "mask.")

Using a sophisticated form of malware, the researches said Careto has infiltrated more than 380 unique victims in 31 countries.

"Several reasons make us believe this could be a nation-state sponsored campaign," said Costin Raiu, director of the global research and analysis team for Kaspersky. "We observed a very high degree of professionalism in the operational procedures of the group behind this attack. This level of operational security is not normal for cyber-criminal groups."

The discovery highlights the increasing sophistication of cyber criminals, and the resources they are bringing to bear on attacks. In this case, it remains unclear which nation might, in fact, be sponsoring the group.

In addition, just as Kaspersky was preparing to publish its report, the organization appears to have gone dark and shut down all its operations.

According to a news release:

"Kaspersky Lab researchers initially became aware of Careto last year when they observed attempts to exploit a vulnerability in the company's products which was fixed five years ago. The exploit provided the malware the capability to avoid detection. Of course, this situation raised their interest and this is how the investigation started."

Kaspersky discovered that the group used phishing emails with phony links that appear to be for, among others, the Washington Post, Guardian and YouTube. Instead, the links install the malware that allows the Mask to collect documents such as encryption keys.

With the Mask having gone offline, Kaspersky researchers said in the report they couldn't be sure the group would reemerge in some other fashion.

©2014 Los Angeles Times

Platforms & Programs