WASHINGTON: Security researchers said Monday they discovered cyber-espionage malware which has hit governments and companies in 31 countries and is likely state-sponsored.
Kaspersky Lab researchers said the Spanish-language malware known as “The Mask” or “Careto” has been used since at least 2007 and is unusually complex, with versions that may infect mobile phones and tablets, including those running Apple or Google operating systems.
The researchers said the authors who appear to be Spanish speakers may use the virus to steal sensitive documents as well as encryption keys.
The main targets appear to be government and diplomatic offices, energy companies, research organizations, private equity firms and political activists, according to a white paper from Kaspersky.
“For the victims, an infection with Careto can be disastrous,” the security firm said in a statement.
“Careto intercepts all communication channels and collects the most vital information from the victim’s machine. Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.”
Once a device is infected, the malware authors can intercept network traffic, keystrokes, Skype conversations and steal information from devices connected to the networks.
The researchers said in their report they detected “traces of Linux versions, and possibly versions for iPad/iPhone and Android, however we have not been able to retrieve the samples.”
The malware was active from 2007 until last month, when the command servers were shut down during Kaspersky’s investigation, the researchers said.
“Several reasons make us believe this could be a nation-state sponsored campaign,” Kaspersky researcher Costin Raiu said.
Raiu said the authors showed a high degree of technical sophistication and have been able to hide their activities so far.
“This level of operational security is not normal for cyber-criminal groups,” he said.
“The fact that the Careto attackers appear to be speaking the Spanish language is perhaps the most unusual feature,” the research paper said.
“While most of the known attacks nowadays are filled with Chinese comments, languages such as German, French or Spanish appear very rarely in APT (advanced persistent threat) attacks.”
The investigation found 380 victims in 31 countries, the most infected of which were Morocco, Brazil, Britain, Spain, France, Switzerland, Libya, the United States, Iran and Venezuela.