by David R. Mair
Recently, Kaspersky announced that they had identified a global cyber espionage operation. They stated that over 380 organisations in 31 countries were victims of the Mask – a shadowy cyber agent that has been collecting data on governments, embassies, businesses and other sensitive organisations. The culprits behind the malware are unknown – but the evidence points to individuals in a country that speaks Spanish. The malware itself is extremely sophisticated and has operated undetected for seven years, secretly collecting data and compromising communications channels. The infographic below identifies the countries which have, so far, been identified as targets.
Recently, Kaspersky announced that they had identified a global cyber espionage operation. They stated that over 380 organisations in 31 countries were victims of the Mask – a shadowy cyber agent that has been collecting data on governments, embassies, businesses and other sensitive organisations. The culprits behind the malware are unknown – but the evidence points to individuals in a country that speaks Spanish. The malware itself is extremely sophisticated and has operated undetected for seven years, secretly collecting data and compromising communications channels. The infographic below identifies the countries which have, so far, been identified as targets.
Allow me to reiterate: 31 countries, 380+ victims, over 7 years. Imagine the level of data leakage. Think about what kind of confidential information is held by the targeted organisations, and what kind of diplomatic and economic damage could have – or may have – been done by this. The Mask represents an aspect of the Snowden leaks if he was still in post; except instead of only having access to the US intelligence networks, he had access to the secure communications networks of 31 countries.
The sophistication of this operation cannot be overstated. The creators managed to sneak their malicious software into some of the highest echelons of power and most secure IT systems in the world. Not only that, but they managed to remain undetected for years. The code that should have been identified, traced and eliminated as soon as it appeared. However, instead it was left to flourish in a highly complex and hostile environment – where it excelled at both identifying and extracting confidential and clandestine material.
The way that the Mask worked is relatively simple. The attackers sent their targets an email which contained personal information, directing them to a website. When the victim clicked on this link, they were directed to a compromised website which scanned the computer that they were using; noting what software it was running, the operating system, the browser – anything that could be exploited in a cyber attack to gain administrator access to the network and install the malicious Mask software. This tactic of spear-fishing followed by exploitation is almost exactly the same as that of the Blackhole exploit kit that has facilitated so many cyber criminals over the past few years, albeit on a much more professional and undetectable level.
The Mask is no longer active. It was shut down during Kaspersky’s investigation into how it operated and how far it had penetrated. It is unknown whether or not its developers were aware of Kaspersky’s discovery or if the product had reached its natural end. What is clear, though, is that the Mask will not be the last discovery of a global and complex cyber espionage operation. There are a number of reasons for this.
First, the use of cyber tools is deniable. Let’s create a hypothetical situation. Let’s say that country A and country B are concerned that country C appears to be refining uranium that might be used for developing nuclear warheads (country C claims that it is refining the uranium to develop a peaceful nuclear power programme but has a history of animosity towards countries A and B and might be lying). Country A and B decide that the risk of nuclear proliferation is too great to risk and that immediate action must be taken to stop country C in its tracks. Country A and B decide on building a cyber weapon that targets the process of enriching uranium, spinning the nuclear centrifuges within the nuclear power plant faster than they can handle; and ruining the process entirely. Of course, this hypothetical situation has already occurred and is known as the Stuxnet virus. However, despite accusations and finger-pointing, it wasn’t known until last year that America and Israel were behind this attack – beforehand they were able to deny any involvement as there was no direct evidence to link either nation to the code.
Cyber weapons, when used properly, can be used with impunity by the nations that have developed them. After all, who is to say that an advanced persistent threat is an attack by a hostile government’s hackers or an attempt to exploit networks by a sophisticated cyber criminal group? Even when the professional use of the cyber weapons are to such a high standard, what evidence can be generated to link a specific government to its use? Intelligence agencies and governments can use cyber means to spy on their enemies without risking the diplomatic fallout that might come from using more direct methods.
This brings me to the second reason why we are likely to see an increase in cyber espionage in the future; it is arguably safer than using agents. For years now, the security agencies have recruited key individuals who sit at important junctions within organisations and agencies of interest. These recruits then pass information to their handler which is used to build intelligence around subjects pertinent to the interests of the security industry and their political masters. However, recruiting these agents comes at a price; there is a financial cost to running agents, but more importantly, there is a human factor involved. Intelligence officers have to convince potential agents to work for them. Should a potential agent refuse or, worse, play along in order to spread disinformation, more is lost than is gained. If the potential agent was to inform their superiors of the attempt made to turn them, then the game is up. Security would be tightened around valuable assets, covers would be blown and accessing relevant individuals would become that much harder.
Cyber espionage does not rely on the whims of humans. There is no individual to try to convince to turn spy – just computers to exploit and data to compromise. As I have explained in this blog before; computers know nothing of loyalty – they will authorise access to anyone who can produce the relevant password.
The final reason that we will continue to see cyber espionage programmes revealed is a very simple one – even cyber spies leave digital footprints. While the Mask went undetected for seven years, this is only because nobody knew what to look for. Now that researchers are aware of the Mask’s signature, they can uncover it wherever it has been. The Mask might have shut down from operations, but it has left evidence for its existence behind on computer systems. Once a cyber espionage programme has been launched, it cannot be recalled without significant effort. Stuxnet had a self-destruct sequence coded into it, though it was unable to remove itself before discovery. The Mask, too, was discovered before it could be eradicated from view. Future operators of these cyber tools may become more adept at hiding themselves from identification and analysis, but others are likely to be found by enquring researchers before the owners can pull the plug.
This time it seems that all that was left behind was a mask
The sophistication of this operation cannot be overstated. The creators managed to sneak their malicious software into some of the highest echelons of power and most secure IT systems in the world. Not only that, but they managed to remain undetected for years. The code that should have been identified, traced and eliminated as soon as it appeared. However, instead it was left to flourish in a highly complex and hostile environment – where it excelled at both identifying and extracting confidential and clandestine material.
The way that the Mask worked is relatively simple. The attackers sent their targets an email which contained personal information, directing them to a website. When the victim clicked on this link, they were directed to a compromised website which scanned the computer that they were using; noting what software it was running, the operating system, the browser – anything that could be exploited in a cyber attack to gain administrator access to the network and install the malicious Mask software. This tactic of spear-fishing followed by exploitation is almost exactly the same as that of the Blackhole exploit kit that has facilitated so many cyber criminals over the past few years, albeit on a much more professional and undetectable level.
The Mask is no longer active. It was shut down during Kaspersky’s investigation into how it operated and how far it had penetrated. It is unknown whether or not its developers were aware of Kaspersky’s discovery or if the product had reached its natural end. What is clear, though, is that the Mask will not be the last discovery of a global and complex cyber espionage operation. There are a number of reasons for this.
First, the use of cyber tools is deniable. Let’s create a hypothetical situation. Let’s say that country A and country B are concerned that country C appears to be refining uranium that might be used for developing nuclear warheads (country C claims that it is refining the uranium to develop a peaceful nuclear power programme but has a history of animosity towards countries A and B and might be lying). Country A and B decide that the risk of nuclear proliferation is too great to risk and that immediate action must be taken to stop country C in its tracks. Country A and B decide on building a cyber weapon that targets the process of enriching uranium, spinning the nuclear centrifuges within the nuclear power plant faster than they can handle; and ruining the process entirely. Of course, this hypothetical situation has already occurred and is known as the Stuxnet virus. However, despite accusations and finger-pointing, it wasn’t known until last year that America and Israel were behind this attack – beforehand they were able to deny any involvement as there was no direct evidence to link either nation to the code.
Cyber weapons, when used properly, can be used with impunity by the nations that have developed them. After all, who is to say that an advanced persistent threat is an attack by a hostile government’s hackers or an attempt to exploit networks by a sophisticated cyber criminal group? Even when the professional use of the cyber weapons are to such a high standard, what evidence can be generated to link a specific government to its use? Intelligence agencies and governments can use cyber means to spy on their enemies without risking the diplomatic fallout that might come from using more direct methods.
This brings me to the second reason why we are likely to see an increase in cyber espionage in the future; it is arguably safer than using agents. For years now, the security agencies have recruited key individuals who sit at important junctions within organisations and agencies of interest. These recruits then pass information to their handler which is used to build intelligence around subjects pertinent to the interests of the security industry and their political masters. However, recruiting these agents comes at a price; there is a financial cost to running agents, but more importantly, there is a human factor involved. Intelligence officers have to convince potential agents to work for them. Should a potential agent refuse or, worse, play along in order to spread disinformation, more is lost than is gained. If the potential agent was to inform their superiors of the attempt made to turn them, then the game is up. Security would be tightened around valuable assets, covers would be blown and accessing relevant individuals would become that much harder.
Cyber espionage does not rely on the whims of humans. There is no individual to try to convince to turn spy – just computers to exploit and data to compromise. As I have explained in this blog before; computers know nothing of loyalty – they will authorise access to anyone who can produce the relevant password.
The final reason that we will continue to see cyber espionage programmes revealed is a very simple one – even cyber spies leave digital footprints. While the Mask went undetected for seven years, this is only because nobody knew what to look for. Now that researchers are aware of the Mask’s signature, they can uncover it wherever it has been. The Mask might have shut down from operations, but it has left evidence for its existence behind on computer systems. Once a cyber espionage programme has been launched, it cannot be recalled without significant effort. Stuxnet had a self-destruct sequence coded into it, though it was unable to remove itself before discovery. The Mask, too, was discovered before it could be eradicated from view. Future operators of these cyber tools may become more adept at hiding themselves from identification and analysis, but others are likely to be found by enquring researchers before the owners can pull the plug.
This time it seems that all that was left behind was a mask