Incident Response, Malware, TDR, Vulnerability Management

Seven-year-long APT campaign identified, possibly state-sponsored

An advanced persistent threat (APT) known as Careto, or “The Mask,” has been identified by Kaspersky Lab researchers – who have also suggested the cyber-espionage operation dating back to 2007 could be a state-sponsored campaign.

Government institutions, diplomatic offices and embassies, research institutions, private equity firms, activists, and energy, oil and gas companies are among the groups being targeted in 31 countries, according to a Kaspersky Lab blog post, which adds that while the greatest number of victims were in Morocco, several were in the United States and United Kingdom.

Although all command-and-control servers were observed as offline starting in January, researchers were able to identify more than 380 unique victims at more than 1,000 Internet Protocol addresses by using an algorithm developed in-house.

Because not all command-and-control servers could be analyzed, the researchers indicated in the post that the number of victims could be higher.

“It is interesting to see that the attackers decided to shutdown the campaign, probably once they noticed they were monitored,” Aviv Raff, CTO with Seculert, told SCMagazine.com on Monday. “As they were running this operation for the past seven years, I wouldn't be surprised to see them come back with different tools and methods, while targeting companies from similar industries.”

Researchers could not say who is responsible for the operation, but the particularly high degree of professionalism in operational procedures have lead experts to believe this is a state-sponsored campaign.

“Infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files,” Costin Raiu, senior security researcher with Kaspersky Lab, told SCMagazine.com on Monday in an emailed statement. “This level of operational security is not normal for cyber-criminal groups.”

On Monday, Dmitry Bestuzhev, head of the Research Center with Kaspersky Lab, Latin America, told SCMagazine.com in an email correspondence that he definitely expects the Careto campaign to pop up again – maybe even under a different name.

“Now they know that this is the most sophisticated attack so far, so it's a kind of a new standard the other governments will try to reach,” Bestuzhev said. “So, the future of the cyber espionage is to copy the techniques and to improve it.”

Kaspersky Lab researchers identified the APT – which shows evidence of impacting Windows, Mac and Linux users, and possibly iOS and Android mobile users – after noticing attempts were being made to exploit a previously patched vulnerability in Kaspersky products to make the malware invisible. 

The operation relies on victims clicking on links to malicious websites in spear phishing emails, according to the blog post, which explains that the malware collects encryption keys, VPN configurations, and SSH keys and RDP files, as well as unknown extensions that could be related to military or government level encryption.

According to the post, the detection names for the malware are Trojan.Win32/Win64.Careto.* and Trojan.OSX.Careto. For further analysis, Kaspersky Lab released a more in-depth report.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.