Meet “The Mask": Possibly world’s most advanced computer spy outfit

Kaspersky Lab researchers announced the discovery of “The Mask.”
Work is in full swing at the virus department of Kaspersky Lab in Moscow.
(Sergei L. Loiko)

Governments. Embassies. Energy companies. Universities. Activists.

They’ve all been victims of what researchers are calling one of the most advanced cybersecurity threats they’ve ever seen. 

On Monday, a Kaspersky Lab security research team released details about a secretive organization called The Mask. At a security analyst summit, the researchers said the group has evolved into a nation-state spying tool and has been operating since at least 2007. 

PHOTOS: 10 ways to use the sharing economy


The group appears to be Spanish speaking and goes by the name Careto  (which means “ugly face” or “mask.”)

Using a sophisticated form of malware, the researches said Careto has infiltrated more than 380 unique victims in 31 countries.

“Several reasons make us believe this could be a nation-state sponsored campaign,” said Costin Raiu, director of the global research and analysis team for Kaspersky. “We observed a very high degree of professionalism in the operational procedures of the group behind this attack. This level of operational security is not normal for cyber-criminal groups.”

The discovery highlights the increasing sophistication of cyber criminals, and the resources they are bringing to bear on attacks. In this case, it remains unclear which nation might, in fact, be sponsoring the group. 


In addition, just as Kaspersky was preparing to publish its report, the organization appears to have gone dark and shut down all its operations.

According to a news release:

“Kaspersky Lab researchers initially became aware of Careto last year when they observed attempts to exploit a vulnerability in the company’s products which was fixed five years ago. The exploit provided the malware the capability to avoid detection. Of course, this situation raised their interest and this is how the investigation started.”

Kaspersky discovered that the group used phishing emails with phony links that appear to be for, among others, the Washington Post, Guardian, and YouTube. Instead, the links install the malware that allows the Mask to collect documents such as encryption keys.

With the Mask having gone offline, Kaspersky researchers said in the report they couldn’t be sure the group would reemerge in some other fashion.


Apple iPhone with Flappy Bird selling for $99,900 on EBay

Apple streaming the Beatles’ historic ‘Ed Sullivan’ performance


Microsoft hoping users will get friends, family to leave Windows XP