We all face the threat of opportunistic malware designed to steal confidential information from anyone unlucky enough to get infected. But then there are customised attacks that are tailored to infiltrate organisations and harvest highly-sensitive data belonging to the victims. Such targeted attacks are focused on very selective corporate or government targets, rather than the online population as a whole. The latest of these to hit the headlines is 'The Mask' (known also as Careto - Spanish for 'ugly face' or 'mask').
For the techies among you, there's a detailed FAQ and comprehensive report. But I'd like to give an overview of how it works, its purpose, who's behind the attack and what it means for the rest of us.
What is 'The Mask'?
'The Mask' is a complex cyber-espionage campaign designed to steal sensitive data from various organisations, including government agencies, embassies, energy companies, research institutions, private equity firms and activists. The victims of the campaign, which may stretch back to 2007, are located in 31 countries around of the world - you can find the full list here .
How does it work?
The infection starts with a spear-phishing attack -an e-mail sent to employees within an organisation with a link to a malicious web site that contains a number of exploits. Once the victim is infected, they are then redirected to the legitimate site they expected to go to (e.g. a news portal, or video). 'The Mask' is able to intercept all communication channels and harvest all kinds of data from the infected computer. 'The Mask' (like Red October and other targeted attacks) allows the attackers to add new functionality at will - allowing them to keep developing it as required for their needs. 'The Mask' also casts its net wide - there are versions for Windows and Mac OS X and even evidence that there may also be versions for Linux, iOS and Android. The Trojan also uses very sophisticated stealth techniques to conceal its activities.
What's its purpose?
The key purpose of the attackers behind 'The Mask' is to steal data from their victims.
The malware collects a range of data from the infected system, including how to get around the security systems.
Who's behind the attack?
We don't have information that would enable us to identify the specific attackers. The use of the Spanish language doesn't help pin it down, since this language is spoken in many parts of the world. Also, it's possible that this could have been used as a false clue, to divert attention from whoever wrote it. The very high degree of professionalism of the group behind this attack is very unusual for cybercriminal groups: this is one indicator that 'The Mask' could be a state-sponsored campaign.
What's the significance of 'The Mask'?
This campaign underlines the fact that there are highly-professional attackers who have the resources and the skills to develop complex malware - in this case, to steal sensitive information from specific targets. It also highlights once again the fact that targeted attacks, because they generate little or no activity beyond the networks of their specific victims, can 'fly under the radar' and may not be detected for some time.
But it's equally important to recognise that, notwithstanding the sophistication of 'The Mask' and other targeted attacks, the starting-point is tricking individuals into doing something that undermines the security of the organisation they work for - in this case, by clicking on a link.
What it really means for you and me is that no matter what our role in the business we work for, cyber-criminals will try to work their way in any way they can and people are always the weakest link. Whether giving away too much information in a seemingly innocuous phone call or clicking on an interesting looking link in an e-mail, we need to be vigilant to the tricks of the cyber-criminals. We all need to take care not to become the weakest link in the security chain of the company we work for.