February 21, 2014:
Since 2010 a growing number of highly complex and carefully constructed malware (hacker software) systems have been discovered. Further examination has revealed that some of them have apparently been active as far back as 2006 or earlier. The most recent one is called Mask and is unusual for its complexity and attention to detail (like hiding its tracks by cleaning up after itself). What makes Mask really unique is that it’s the first bit of industrial strength malware created by Spanish speaking programmers. Mask was recently exposed by Internet security firm Kapersky labs. Outfits like this are usually the first to find new malware because that’s part of their business. Internet security firms provide customers (individual and organizational) with protection from malware and to do that you first have to detect new malware. Security firms do this by getting massive amounts of data from their customers about known malware attacks (usually blocked) or new stuff that may or may not be malware. By analyzing all this information patterns appear, sometimes the patterns lead to clues which in turn reveal previously unknown malware. Such was the case with Mask which, when bits of the actual Mask software were found and taken apart revealed that it has been around since about 2007 and was apparently created by a large and highly organized group of software engineers, many of whom were Spanish speakers.
Now an intel agency could have spent a lot of time and money to make it look like the creators of Mask were Spanish, but in this case there was also the fact that most of the targets for Mask were in Spanish speaking countries. Many non-Spanish speaking countries were also hit and the Mask went after government and commercial organizations collecting a wide variety of data, and then, in most cases, cleaned up after itself so the targets never knew they had been penetrated, plundered and monitored. Mask also used a continually changing group of Internet servers to store the plundered data until it could be taken offline by whoever was behind Mask.
Nearly a year ago, in January 2013 a similar bit of malware called MiniDuke was discovered. This one was later found to have been around at least since 2011. MiniDuke wass directed at specific individuals in Ukraine, Belgium, Portugal, Romania, the Czech Republic, the United States, Hungary, and Ireland. The targets in the United States and Hungary appear, so far, to have only been non-government organizations.
MiniDuke delivered a secret software program, via an infected PDF file that monitors PCs it gets into, that passes back keyboard activity and files to servers in Panama and Turkey. MiniDuke is unique in terms of the attention paid to keeping its presence secret from network security systems. MiniDuke stays dormant until it senses it is not being monitored, then seeks out a specific Twitter feed that the hacker uses to communicate with infected machines.
MiniDuke carried out its attack using an official looking email, with a PDF file attached, sent to specific individuals. It is an email the recipients were not expecting. This is known in the trade as "spear fishing" (or "spear phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends data from the email recipient's PC to the spear fisher's computer. In the last few years an increasing number of military, corporate, and government personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. Mask used a similar approach and was finally discovered when too many of its spear fishing attacks failed and the payload aroused suspicion.
MiniDuke was one of the most sophisticated spear phishing attacks seen so far. It shared some characteristic of professional American–Israeli efforts like Duqu but also incorporated some new ideas (heavy use of Twitter, a very gradual infection process, and lots of scouting). It’s unclear where it came from, or at least no one has released any information on that yet.
These mega malware systems were initially believed to be the work of governments, because of the time and expense that went into their construction and maintenance. But some analysts believe that the large criminal groups in China and East Europe that specialize in Internet based crime are being found to have grown larger than earlier thought. Large criminal groups could finance and staff creation of mega-malware and have the resources to run it for years. That’s still just a theory, it is known that some governments (especially the United States and Israel) have undertaken these mega malware projects. One aspect of this business that is still quite murky is who the customers are. It’s not surprising that buyers of this stolen data want to remain unknown. That’s pretty standard in the espionage business.