The UK has been hit by 109 unique attacks in one of the most advanced global cyber espionage campaigns to date that has gone undetected for more than five years.
The UK is one of 31 countries to have been hit by the campaign that has targeted government institutions, diplomatic offices, embassies, oil and gas companies, research organisations and activists.
Morocco was the most highly targeted country with 384 unique attacks, followed by Brazil with 173 and the UK with 109. More than 1,000 IP addresses are believed to have been affected.
Details about the operation have been released by researchers from security firm Kaspersky Lab who believe the campaign could be state sponsored.
The Kaspersky researchers have dubbed the whole operation “The Mask”, the English translation for the Spanish word Careto, which is what the attackers called their main backdoor program.
The complexity and universality of the toolset used by the attackers makes this cyber espionage operation very special, researchers said.
More on cyber espionage
- NSA involved in industrial espionage, says Snowden
- Researchers uncover Indian cyber espionage network
- Targeted cyber espionage on the increase, McAfee warns
- Researchers uncover advanced cyber espionage campaign
- Security Think Tank: Five steps to protect IP from cyber espionage
- IT manufacturers fight cyber espionage risks in the supply chain
- Norway’s Telenor hit by cyber espionage campaign
- Espionage the goal of cyber attacks on South Korea, say researchers
- Prolific cyber espionage group tied to the Chinese military
- UK hit by 70 cyber espionage campaigns a month, says GCHQ
The Mask also used a customised attack against Kaspersky Lab’s products, and among the attack’s vectors at least one Adobe Flash Player exploit (CVE-2012-0773) was used.
The researchers said the main objective of the attackers is to gather sensitive data from the infected systems.
These include office documents, but also various encryption keys, virtual private network (VPN) configurations, SSH keys used to identifying a user to an SSH server and RDP files used by the remote desktop client to automatically open a connection to the reserved computer.
“Several reasons make us believe this could be a nation-state-sponsored campaign,” said Costin Raiu, director of the global research and analysis team at Kaspersky.
“First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, which is not normal for cyber criminal groups. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules, to using wiping instead of deletion of log files.
“These combine to put this advanced persistent threat [APT] ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment,” he said.
Kaspersky Lab researchers first discovered the cyber espionage operation in 2013 when they observed attempts to exploit a vulnerability in the company’s products which was fixed five years ago.
For the victims, an infection with The Mask can be disastrous. The malware intercepts all communication channels and collects the most vital information from the target machine.
Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber espionage modules, the researchers said.
They said the authors appear to be Spanish speaking, which has been observed very rarely in APT attacks.
The campaign was active for at least five years until January 2014, when Kaspersky Lab shut down the command and control servers.
According to Kaspersky Lab’s analysis report, The Mask campaign relies on spear-phishing emails with links to a malicious website. The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration. Upon successful infection, the malicious website redirects the user to the benign website referenced in the email, which can be a YouTube movie or a news portal.
Researchers said it is important to note the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious emails.
Sometimes, the attackers use sub-domains on the exploit websites to make them seem more real. These sub-domains simulate sub-sections of the main newspapers in Spain, plus some international ones, for instance The Guardian and Washington Post.
The Mask is a highly modular system. It supports plug-ins and configuration files, which allow it to perform a large number of functions. In addition to built-in functionalities, the operators of could upload additional modules that could perform any malicious task.