Kaspersky security researchers just revealed their discovery of a cyberespionage threat they say could be the most advanced in the world. Immensely powerful and hard to detect, it’s been active since at least 2007, targeting governments, embassies, and energy companies. And nobody knows where it came from.
Dubbed “Careto”, after the Spanish slang for “mask” or “ugly face” that appears in some of its code, the virus relies on spearphishing emails containing malicious links disguised as subdomains of well-known news websites including The Washington Post and The Guardian. After infection, the malicious links just redirect to the benign sites referenced in the email to cover up the tracks.
Once downloaded, Careto collects a huge variety of documents from the infected system, with an eye toward sensitive or specialised data: encryption keys, VPN configurations, SSH keys and whatnot. And it doesn’t stop there: Kaspersky says “there are also several unknown extensions being monitored [by the malware] that we have not been able to identify and could be related to custom military/government-level encryption tools.” From a security standpoint, infection is disastrous: Careto can access network traffic and record keystrokes and Skype conversations, among many other capabilities.
Careto’s complexity and high level of refinement indicate it wasn’t thrown together by some hacker. It’s one of the most advanced threats Kasperksy has ever seen, besting even the famously cryptic Duqu Trojan. Careto hides itself inside older versions of Kaspersky security software, making the malware invisible to routine system scans, and it’s capable of attacking Windows, Linux, Mac, and possibly Android and iOS. The malware is highly refined, and managed with a level of security Kaspersky says is “not normal for cybercriminal groups,” leading them to believe it could be a state-sponsored attack.
While the full extent of Careto’s reach is unknown, Kaspersky identified victims at over 1000 IP addresses in 31 countries, mainly targeting government institutions, diplomatic offices, and powerful private companies, particularly in the oil and gas industries.
So which state-sponsored hacker group is behind it? Nobody really knows. Kaspersky points out that the use of Spanish slang in the program doesn’t really pinpoint a geographic region — and besides, it could very well be a purposeful distraction.
And while it’s currently inactive (the hackers began taking Careto servers offline in January, when Kaspersky researchers started their investigation), nothing is stopping those responsible from re-activating the attack at any time. And while the malware takes advantage of a security software vulnerability that Kaspersky patched five years ago, with more than 380 known high-level victims in 31 countries, Careto is still a very real threat. Not to mention that whoever was driving this sucker clearly knows what they are doing.