back to article Kaspersky rips The Mask from sneaky Spanish spy campaign

Security researchers have discovered a sophisticated string of cyberattacks from a group of Spanish-speaking miscreants who have been operating since at least 2007. ”The Mask” (aka Careto) is one of the most advanced campaigns to date due to the complexity of the toolset used by the attackers, according to Kaspersky Lab. This …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "The use of Spanish by the hackers […] doesn't narrow down the field very much."

    Interesting that Morocco, UK and Brasil are the most targeted. Morocco would point towards Spain, but Brasil towards South America. What about the UK? Spain? …Argentina?

    1. Elmer Phud

      Re: "The use of Spanish by the hackers […] doesn't narrow down the field very much."

      Morocco would point towards Spain, but Brasil towards South America. What about the UK? Spain? …Argentina?

      Maybe it's a language thing

    2. Bloakey1

      Re: "The use of Spanish by the hackers […] doesn't narrow down the field very much."

      Porque nao Portugal?

      I think it points to Spain and have thought so for quite a while. Brazil points towards Spain as Brazil nestles among mainly Spanish speaking neighbours (Belize, Surinam and British Guyana as mindable <sp> exceptions).

      There are also very interesting things being done that would suggest my friends the "cheese eating surrender monkeys" (1.) are at it big time. But there again they always were. Minitel anyone? a European Interweb where you could book your wife a bunch of flowers, a hooker for yourself and a nice silk kerchief for your gay lover all done in your 3 hour lunch break. Those were the days.

      1. Who have won more wars that the Yanks and the Brits put together (1.1.)

      1.1. The war of 1812, Merklin, Korea, Cuba, Vietnam, Laos, Congo, Lebanon, Iran, Somalia, Iraq, Afghanistan and the next one, do skew the results in favour of the U.S. ;)

    3. jason 7 Silver badge

      Re: "The use of Spanish by the hackers […] doesn't narrow down the field very much."

      Well I'd say its a good way of covering your tracks, using a different language to your own, different methods, locations and by initially racking up a load of hits against countries you aren't actually interested in. Then you make a few pointed attacks on the real target and they get ignored in the sheer numbers elsewhere.

      I would assume if you were hitting certain targets someone would extrapolate that data to find the 'likely culprit' so why not muddy the data with a load of other random targets.

  2. fnusnu

    Any explanation as to why it took their software seven years to detect it?

    1. vonRat

      It took 7 years to successfully complete the deployment.

      1. Bloakey1

        "t took 7 years to successfully complete the deployment."

        In their defense they had do uninstall Nortons and McAfee and that took a little while.

  3. Semtex451

    Wouldn't one be just as "professional" without state sponsorship, when the personal "risks" are likely greater?

    1. Wzrd1

      "Wouldn't one be just as "professional" without state sponsorship, when the personal "risks" are likely greater?"

      One problem with that. All of the professional level compromises like this so far have all been from professional, nation state supported or operated entities.

      To create one, all fresh and new, keep it professional at a level on a peer with known nation state entities is like shaking a box with watch components in it, opening it up and finding a perfectly assembled, perfectly timed Swiss watch.

      The learning curve is just that steep.

  4. Anonymous Coward
    Anonymous Coward

    Careto is not Mask

    For the benefit of non Spanish speakers. "Mask" in English is "Careta". "Careto" is a slang term that means an exaggerated facial expression, usually ugly, in reaction to something highly unexpected or unusual.

    There is also a variation of "Careto" used in "por el careto" (a derivation of "por la cara") which means to obtain something for free or without having the rights to have it. Which since this is a data stealing malware, could be the source of its name. This kind of slang is not, to my knowledge, used outside Spain, so that would point to the authors being from Spain rather than some American Spanish speaking country. I'm not 100% sure of this, as Spanish slang is very, very diverse across countries and I know just a bit of each.

    But then Kaspersky are supposedly security experts, not language experts. I am neither, by the way.

    1. Robin

      Re: Careto is not Mask

      Good work!

      If only there had been a way to double check its definition when the article was written, like spending three seconds on spanishdict.com for example?

      1. Anonymous Coward
        Anonymous Coward

        Re: Careto is not Mask

        The Spanish Royal Academy of Language, considered the authority on what is a word and what is not in Spanish, created and updates its dictionary which is considered the latest word (no pun intended) on what is actually valid Spanish. As a result, most Spanish dictionaries merely copy the "official" Academy one, leaving out the more uncommon words, its usages or shortening the word definitions. But they almost never include words, or alternate definitions, that are not in the Academy one.

        And the Academy, although better in the last few years, is not exactly quick in accepting new words and definitions. In this case, "Careto" is defined in the Academy dictionary as the English equivalent of "Mask" (and likely on spanishdict.com but I've not checked), and its slang definition does not appear there. So except by checking with an actual Spanish speaker, and one familiar with these slang terms, there was no way for the writers to know the difference.

    2. squigbobble

      Re: Careto is not Mask

      So it roughly translates to either 'freebie' or 'gurn'?

    3. Bloakey1

      Re: Careto is not Mask

      <snip>

      "There is also a variation of "Careto" used in "por el careto" (a derivation of "por la cara") which means to obtain something for free or without having the rights to have it. Which since this is a data stealing malware, could be the source of its name. This kind of slang is not, to my knowledge, used outside Spain, so that would point to the authors being from Spain rather than some American Spanish speaking country. I'm not 100% sure of this, as Spanish slang is very, very diverse across countries and I know just a bit of each."

      <snip>

      You are absolutely correct. It is Castillano argot and used in Spain (as opposed to Spanish per se) and I have not heard it elsewhere. Think of it as obtaining something "for your cheek" i.e. for the cheek of asking. So as you can see there is an English analogue with the same meaning and same slang connotation.

    4. Bloakey1

      Re: Careto is not Mask

      <snip>

      "But then Kaspersky are supposedly security experts, not language experts. I am neither, by the way."

      Hmmm, thinking further . The plot thickens. careto is a tradition in Portugal and involves doods <sic> dressing up and wearing complex masks and parading through the streets. I believe it is one of their many Celtic traditions.

      Also in Latin it means to be without, bereft of or deprived of and has careo as it's root.

      Perhaps the Portuguese have an 31337 crew of espionage doodz.

      let us blame it on the Norteño chapter of the NSA and move on.

    5. Anonymous Coward
      Anonymous Coward

      Re: Careto is not Mask

      > For the benefit of non Spanish speakers

      I came here to make the exact same two points you have very clearly expounded: Careto is somewhat akin to "mug", and it is exclusive to Spain.

      From other points in the description, I am tempted to speculate as to from which particular region of the peninsula it might hail. Unless, of course, its name and the other clues are mere decoys.

    6. Wzrd1

      Re: Careto is not Mask

      ""Mask" in English is "Careta". "Careto" is a slang term that means an exaggerated facial expression, usually ugly, in reaction to something highly unexpected or unusual."

      Or, a matched transliteration with a language speaker whose language would miss those nuances.

      Leaving them to name the software to imply a sour face when the phish attack was finally discovered.

      The source code usually gives indicators on who wrote it. Each writing team has their own style, it's quite a lot like fingerprints.

    7. Daniel B.
      Boffin

      Re: Careto is not Mask

      Careto is not Mask. "Máscara" is Mask.

      There's a fun game with Spanish: depending on the words used, you can actually know what country the writer/speaker is from. Given the use of Careto, it indeed sounds like Spain, unless we're being sidetracked and it's actually Portugal and/or Brazil (with "Careto" being actually Portuguese instead of Spanish).

      Now, an easy way to find out if it's Spaniard is easy if computers are involved: every single Spanish speaking country that isn't Spain calls computers, computers. Spaniards call computers "sorting machines" (ordenadores). That single word narrows down Spain real quick!

      The other country that is equally easy to lock into is Argentina; if they speak weird Spanish (as in, "weird to anyone not from Argentina" it probably is from that country. Example: "compártelo" in regular Spanish turns into "compartilo" in Argentinian, "tienes" into "tenés" , or "eres" into "sos".

      If they call pineapples "bananas" without the B, it's at least South American. It's probably a fun game to wade through the zillion Spanish dialects, but at least you can narrow down quickly if it comes from certain countries.

  5. Matt Bryant Silver badge
    Facepalm

    Professional?

    Why can't it just be that Spanish skiddies are just better crookz than US or UK skiddies?

    1. NumptyScrub
      Trollface

      Re: Professional?

      Given the following from the article (my emphasis):

      "This includes sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS."

      They are not just better, they are apparently godlike enough to be able to infect the uninfectable. I'm eagerly awaiting the clarification that the OSX and Linux variants still require the user to accept the install and provide the root password ^^;

      1. Bloakey1

        Re: Professional?

        <snip>

        "They are not just better, they are apparently godlike enough to be able to infect the uninfectable. I'm eagerly awaiting the clarification that the OSX and Linux variants still require the user to accept the install and provide the root password ^^;"

        "Uninfectable"? I think that you are not taking users and assorted button clickers into your halcyon equation.

        I recently saw someone who when running out of space for his films went into a folder called emaildonotdelete and deleted a file called importantlitigationarchive.

        Don't get me going on users or I will have to reach for my LART.

      2. Anonymous Coward
        Anonymous Coward

        Re: Professional?

        > be able to infect the uninfectable

        ??? Are you referring to Unixen such as 2 (±1) of the OS you mentioned?

        You have been listening to some very ignorant people. We INVENTED internet worms, my dear chap.

      3. Steve Mann

        Re: Professional?

        "They are not just better, they are apparently godlike enough to be able to infect the uninfectable. I'm eagerly awaiting the clarification that the OSX and Linux variants still require the user to accept the install and provide the root password ^^;"

        But gosh, didn't we just read about three weeks ago of a proof of concept buffer overrun attack against Linux that allowed arbitrary execution of code? In these very pages?

      4. Wzrd1

        Re: Professional?

        "I'm eagerly awaiting the clarification that the OSX and Linux variants still require the user to accept the install and provide the root password "

        Why? There have been a number of drive-by malware installations, phishing attacks that were successful, etc all that needed no rooting of the device.

        Adremorrhoid is notorious for lousy security. As is Crapple's iBone.

        And for the record, I have a Windows fartphone, Adremorrhoid fartphone and Crapple fartphone (or is that iFartphone?). I've examined their stock security settings in detail.

        I was quite underwhelmed. Though, there has been improvement over the past few years.

        You conflate the desktop/server OS with the same level of security in the mobile product, a bad comparison in the extreme.

        When they goobered them down, they created C'est ta merde security.

  6. Vociferous

    Venezuela, Colombia or Argentina.

    They're all nuts, but the list of countries suggest it's a leftist government, so Argentina or Venezuela. I doubt Argentina seriously think they'll ever get the Falklands back and they have zero reason to spy on Spain and Morocco, so my money's on Venezuela.

    Venezuela (under Chavez) supported both the basque terror organization ETA in Spain and "lavishly funded" the Polisario in Morocco, so it had reason to spy on those countries, which none of the other suspects did.

    Bonus: Kaspersky is a _russian_ security firm, and Russia is a close ally of Venezuela; one might speculate that might have influenced the decision to not reveal which country made the spyware.

    1. Mark 85 Silver badge

      Re: Venezuela, Colombia or Argentina.

      You might be onto something here. Brazil is in the list and most folks seem to think Brazil speaks Spanish... try Portuguese, However, there is some animosity between Brazil and Venezuela. Not open hostility but it's there.

    2. donguevas

      Re: Venezuela, Colombia or Argentina.

      As someone who is a US and a Colombian Citizen, I would leave Colombia off of your list.

      Colombia does not have a leftist government, very far from it. They take their cues from the ghost of Ronald Reagan.

      Plus, while the majority of my IT career has been in the states(since the mid 1990s) I did work in Colombia for a latin american multinational concern, and I rarely met any developer who had the coding chops to write something of this magnitude.

      1. Vociferous

        Re: Venezuela, Colombia or Argentina.

        Yes, I took Colombia off the list in the very first sentence, precisely because it doesn't have a leftist government. Colombia wouldn't have any reason to spy on any of these countries, except possibly Brazil.

  7. greenpc

    Cubans

    looking at the Kapersky report, it was interesting that Cuba had the most hits. Is this a Cuban government initiative, Cuban dissident initiative in Cuba, Cuban dissidents in the US, the CIA (and their buddies) or someone completely out of the picture?

    Going whole hog conspiracy theory, I'd say it may be the Iranians using Venezuelan trained hackers to start targeting Chinese assets using a cuban cover to set things up for a DOS on the chip shop down the street.

  8. Chris G Silver badge

    Could originate in Spain

    But it is definitely not state sponsored, although there are some pretty smart IT people here, I'm pretty sure none of them work for the government.

    A couple of the local government employees I know, if you asked them a question about hard drives would think you were talking about the commute in to work and they call an engineer to run CCleaner for them.

    The Spanish government makes the British government look clever when it comes to those computer thingies.

    1. nuked

      Re: Could originate in Spain

      You don't have to be a government employee to write software for use by the state...

  9. Marketing Hack Silver badge
    Black Helicopters

    You guys are all wrong about the country responsible...

    One word that is synonymous with international aggression--Andorra!! This tiny terror has been waiting for their chance, and soon their tanks (I think they have two of them) will be parading down Piccadilly.

    (Either them, or its SPECTRE)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020