Kaspersky Lab busts advanced cyber spying ring that spans 31 countries
Kaspersky Lab has uncovered a global cyber-espionage ring that had been operating undetected across 31 countries since 2007
Feb 19, 2014
Kaspersky experts say cyber-criminals targeted primarily government organizations, diplomatic missions, energy corporations, research centers and political activists.
The spy ring, dubbed "The Mask," allegedly infected a total of 380 high-profile targets over the eight years of its existence, using malware that was designed to steal documents, encryption keys and other sensitive files, as well as take full control of infected computers.
Hackers had at their disposal a wide arsenal of cross-platform malware that infected computers running various operating systems, including hard-to-crack MaC OS X, Linux and most likely iOS.
Costin Raiu, Director of Kaspersky’s global research & analysis team, said there were several reasons to believe that the busted Mask ring was a nation-state sponsored campaign.
He said the group displayed an extremely high degree of sophistication, which made it one of the most advanced global cyber-espionage operations to date.
"These guys are better than the Flame APT group because of the way that they managed their infrastructure. The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far," Raiu said.
Costin Raiu also noted that The Mask’s level of operational security was "not normal for cyber-criminal groups."
Kaspersky lab analysts identified the native language of hackers as Spanish, which is very unusual for this type of cybercrimes. The very name of the operation stems from the Spanish "Careto" for "mask," which was a word that came across the malware code.
Kaspersky also said the campaign was at its most active over at least five consecutive years, up until this January, with some malware components dating back to 2007.
The revelations prompted the shutdown of operating servers associated with the espionage ring. The Russian antivirus company also detected and removed all known versions of The Mask malware.
The spy ring, dubbed "The Mask," allegedly infected a total of 380 high-profile targets over the eight years of its existence, using malware that was designed to steal documents, encryption keys and other sensitive files, as well as take full control of infected computers.
Hackers had at their disposal a wide arsenal of cross-platform malware that infected computers running various operating systems, including hard-to-crack MaC OS X, Linux and most likely iOS.
Costin Raiu, Director of Kaspersky’s global research & analysis team, said there were several reasons to believe that the busted Mask ring was a nation-state sponsored campaign.
He said the group displayed an extremely high degree of sophistication, which made it one of the most advanced global cyber-espionage operations to date.
"These guys are better than the Flame APT group because of the way that they managed their infrastructure. The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far," Raiu said.
Costin Raiu also noted that The Mask’s level of operational security was "not normal for cyber-criminal groups."
Kaspersky lab analysts identified the native language of hackers as Spanish, which is very unusual for this type of cybercrimes. The very name of the operation stems from the Spanish "Careto" for "mask," which was a word that came across the malware code.
Kaspersky also said the campaign was at its most active over at least five consecutive years, up until this January, with some malware components dating back to 2007.
The revelations prompted the shutdown of operating servers associated with the espionage ring. The Russian antivirus company also detected and removed all known versions of The Mask malware.