Last week Kaspersky Lab published a brief teaser announcing that it would shortly release full details on a recently discovered sophisticated APT campaign that it called the Mask. Those details have now been released.
The Mask, says Kaspersky, is more sophisticated than Duqu and likely to be a state-sponsored espionage campaign. Speaking at its Security Analyst Summit in Punta Cana, Dominican Republic, Kaspersky's director of global research and analysis Costin Raiu said the group behind the Mask “are absolutely an elite APT group; they are one of the best that I have seen. Previously in my opinion the best APT group was the one behind Flame – these guys are better.”
Flame, also first discovered by Kaspersky, is generally considered to have been developed by the same team that developed Stuxnet; and Stuxnet is believed to have been developed jointly by the US and Israel. The degree of sophistication together with the known targets leads Kaspersky to believe that this is another state-sponsored malware campaign – in this case one that has been in operation since at least 2007.
Mask, named after a string found within the code ('careto,' Spanish slang for 'mask' or 'ugly face'), includes a rootkit, bootkit, Mac, Linux and Windows versions (and probably iOS and Android), and other 'stealth' tactics. Even the behavior of the group was more than usually 'professional'. "We observed a very high degree of professionalism in the operational procedures of the group behind this attack," says Kaspersky, "including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files, etc. This level of operational security is not normal for cybercriminal groups."
The targets also indicate state espionage: government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and activists. The highest number of known infections (more than 380 have been located, but there could be more) occurred in Morocco, Brazil and the UK. Infection is targeted and achieved by spear-phishing. Victims have been socially-engineered to visit falsified web pages (the Guardian and Washington Post are mentioned by Kaspersky) where they were exploited before being redirected to the correct destination to allay suspicions.
The data sought and stolen by the Mask include encryption keys, VPN configurations, SSH keys and RDP files. "There are also several unknown extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools," says Kaspersky.
Kaspersky also mentions use of the CVE-2012-0773 vulnerability. "This was the first exploit to break the Chrome sandbox and was used to win the CanSecWest Pwn2Own contest in 2012," explains the company. "The exploit caused a bit of a controversy because the VUPEN team refused to reveal how they escaped the sandbox, claiming they were planning to sell the exploit to their customers. It is possible that the Careto threat actor purchased this exploit from VUPEN."
Vupen has since denied this. Chaouki Bekrar, its CEO and head of research tweeted yesterday, "Our official statement about #Mask: the exploit is not ours, probably it was found by diffing the patch released by Adobe after #Pwn2Own."
If Mask is state-sponsored, one obvious question is 'by whom?' Some malware gives clues to its origins in the language used or found in the code. If not English, the most common language clues tend to be Chinese or Russian. The Mask is different: the language points to Spanish-speaking developers. Kaspersky points out, however, "On the internet, it is extremely difficult to make a solid attribution due to the volatile nature of the way it was built." It notes that Spanish is spoken in many different countries, and adds, "We should also keep in mind the possibility of false flag attacks before making any solid assumption on the identity of who is responsible."
Following Kaspersky's investigation, the Mask appears to have been rapidly and systematically shut down and evidence erased. But that doesn't mean it is gone forever.