Hunt on for attackers after Kaspersky unmasks major APT campaign

News by Tim Ring

The perpetrators behind the Mask, reportedly one of the most sophisticated APT attacks ever seen, may never be traced after they hurriedly shut down the attack once they realised information security specialist Kaspersky was onto them.

Kaspersky revealed details of the attack earlier this week, saying the Mask's servers were closed down last month after an attack that ran from 2007 - and struck at least 380 victims at over 1,000 IP addresses in 31 countries, including the UK and Gibraltar.

Victims ranged from government agencies, embassies and diplomatic offices to oil, gas and energy companies, private equity firms, and research organisations and activists. They included 109 systems infected in the UK, the third highest level of attack behind Morocco on 384 and Brazil on 137. Kaspersky said the numbers could be “much higher” as it tracked down only some of the servers involved.

In a 10 February blog post, Kaspersky described the Mask as “one of the most advanced threats at the current time” - so advanced that it suspects a nation state was behind it. The company also warned: “We cannot rule out the possibility of the attackers resurrecting the campaign at some point in the future.”

Company chairman and CEO Eugene Kaspersky tweeted that the Mask operation was shut down just four hours after Kaspersky posted the first information about it.

The Mask was a Spanish language-based attack that Kaspersky says used “extremely sophisticated malware”, a rootkit and bootkit to target users of Windows, Mac and probably Linux systems. The researchers suspect there were also versions hitting Android, iPad and iPhone users.

The attack was based on spear-phishing emails that lured victims to exploit websites that infected them, depending on which areas they clicked on and their system configuration. It then redirected the target to the benign website referred to in the email. It further covered its tracks by mimicking sections of the websites of legitimate newspapers such as The Guardian, Washington Post and the main newspapers in Spain.

Its perpetrators stole information from victims that would have allowed them to crack highly secure computers – including encryption keys, VPN configurations, SSH keys and RDP files, and data that Kaspersky couldn't identify but said “could be related to custom military/government-level encryption tools”.

Information security consultant Brian Honan of BH Consulting said this target information was significant. He told via email: “Instead of documents, financial details or login credentials, the malware looked to steal encryption keys. These could then be used to intercept secure communications of those whose encryption keys had been stolen, and also to digitally sign documents or other files to imitate the genuine users.

“To me this points that the Mask was a tool used to gather information to enable the attackers to launch more sophisticated attacks against their targets. So in effect the Mask is a good example of a genuine APT - advanced persistent threat - in that while the tool itself is sophisticated it is the parties behind the tool that are the APT.”

Kaspersky tried but failed to identify the attackers. And while it suspects a nation state, it may not necessarily be one that uses the Spanish language. The company said the high degree of professionalism and operational security of professionalism among the attackers was not normal for cyber criminal groups.

“This and several other factors make us believe this could be a state-sponsored campaign,” it said, but added: “Attribution is a difficult task. Some clues such as the use of the Spanish language are weak, as it is spoken in many countries, including Latin America, Mexico or the US. We should also keep in mind the possibility of false flag attacks before making any solid assumption on the identity of who is responsible without very solid proof.”

Kaspersky Lab principal security researcher, Vitaly Kamluk, told via email: “In most cases it is impossible for us to trace such an operation down to its origins. The attackers were highly professional, they knew how to hide their identity in the internet.”

Jaime Blasco, director of AlienVault Labs, agreed that it will be hard to uncover who is behind the Mask “unless they made mistakes operating the infrastructure".

Blasco added: “"One important thing about the attackers is that they are really professionals. They were able to anticipate Kaspersky's public disclosure and they shut down all the infrastructure within four hours after Kaspersky published a short press release announcing the discovery. I think that Kaspersky didn't give any technical detail at that time, but the people behind the Mask were able to discover the operation was uncovered and they took the actions to remove as much information as they could.”

In its blog, Kaspersky said the Mask at one point used the Adobe Flash Player CVE 2012-0773 Zero Day exploit. Dana Tamir, director of enterprise security from Trusteer, saw this as evidence of why it was so damaging.

She told “The fact that the attackers took advantage of at least one zero-day vulnerability explains why it successfully infected users. Because a zero-day vulnerability is unknown, there is no patch available, and very little can be done to prevent the drive-by download and malware infection.”

Tamir added: “The best protection against zero-day exploits and drive-by downloads is based on exploit-chain disruption technology that breaks the malware delivery process.”

Kaspersky confirmed that: “At the moment all known Careto C&C servers are offline.” But Brian Honan believes there is no guarantee that the Mask won't spark off future attacks. He told “As we may have no way of knowing how many systems have been infected with this malware we have no guarantee that all the infected systems can be cleaned up. This leaves a number of systems remaining infected which could come under attack by anyone else who can set up the command and control systems for the Mask.

“Of course now that the Mask has been discovered it would be expected that many anti-virus software products will now detect it. But as we have seen in the past many systems may not have effective security controls, which is why we still see old viruses such as Conficker still infecting systems.”

Kaspersky spotted the Mask (‘Careto' in Spanish) when it tried to exploit a vulnerability, now fixed, in the company's security products to make the malware invisible in the system.

Asked if Kaspersky had notified the victims, Kamluk told SCMagazineUK that the company had had no direct contact with them, but will provide the required information to local authorities.

Previous high-profile APT attacks have included Flame, which infiltrated computers in the Middle East, Stuxnet designed to sabotage the Iranian nuclear programme, and RedOctober which attacked diplomatic institutions.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews