New Spanish cyber threat may be nation-state-sponsored

Security researchers have uncovered a potentially nation-state-sponsored, Spanish language-based cyber threat that has been active since at least 2007.

Researchers from Kaspersky Lab have dubbed the threat ‘The Mask’, an English translation of Spanish word ‘Careto’, which researchers found in some of the threat’s malware modules.

Kaspersky said the people behind The Mask used a complex toolset in the attack.

“The cross-platform malware toolkit included at least one zero-day in its arsenal, along with versions of the Mask malware for Mac OS X, Linux, and perhaps even iOS and Android,” a statement from Kaspersky read.

“These guys are better than the Flame APT group because of the way that they managed their infrastructure. The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far,” said Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team (GReAT).

According to the company, The Mask has primarily targeted government and strategic institutions, with victims being identified in 31 countries.

The attackers’ goal is to gather sensitive data from the infected systems, including office documents, encryption keys, VPN configurations, SSH keys and RDP files, Kaspersky said.

“Several reasons make us believe this could be a nation-state-sponsored campaign. This level of operational security is not normal for cybercriminal groups,” Raiu added.

The company warned that infection could be disastrous, as it “intercepts all communication channels and collects the most vital information from the victim’s machine”.

“Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules,” Kaspersky said.