Researchers have uncovered a sophisticated cyber spying operation that has been alive since at least 2007 and uses techniques and code that surpass any nation-state spyware previously spotted in the wild.
The attack, dubbed “The Mask” by the researchers at Kaspersky Lab in Russia who discovered it, targeted government agencies and diplomatic offices and embassies, before it was dismantled last month. It also targeted companies in the oil, gas and energy industries as well as research organizations and activists. Kaspersky uncovered at least 380 victims in more than two-dozen countries.
The attack – possibly from a Spanish-speaking country — used sophisticated malware, rootkit methods and a bootkit to hide and maintain persistence on infected machines. The attackers sought not only to steal documents, but to steal encryption keys, data about a target’s VPN configurations, and Adobe signing keys, which would give the attackers the ability to sign .PDF documents as if they were the owner of the key.
The Mask also went after files with extensions that Kaspersky has not been able to identify yet. The Kaspersky researchers believe the extensions may be used by customer government programs, possibly for encryption.
“They are absolutely an elite APT [Advanced Persistent Threat] group; they are one of the best that I have seen,” Costin Raiu, director of Kaspersky’s Global Research and Analysis Team said at a conference here today. “Previously in my opinion the best APT group was the one behind Flame . . . these guys are better.”
link.
No comments:
Post a Comment