An incredibly complex malware that’s said to be one of the most sophisticated ever discovered has been targeting computers around the world since at least 2007, according to a new report from security firm Kaspersky Labs. The malware, which has been dubbed “The Mask”, appears to be the work of Spanish-speaking cybercriminals. Researchers said that the word “Careto”, a Spanish slang term meaning “ugly face” was found in the code – yet Kaspersky Labs says the malware is so sophisticated it’s highly unlikely anyone but government sponsored hackers could have built it.

The report claims that The Mask is most likely a tool for cyber espionage – targeted at government officials and diplomats, research institutes, private companies (mostly energy firms), private equity firms and activists. In total, some 380 victims using more than 1,000 IP addresses in 31 countries have been identified so far.

Probably the most incredible thing about The Mask is its flexibility – Kaspersky’s researchers note that it “includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).” It’s capabilities are pretty awesome too, as The Mask is able to access network traffic, record Skype conversations, log keystrokes and search for files on infected machines.

Unsurprisingly, The Mask seems to be especially adept at procuring sensitive files, “including encryption keys, VPN configurations, SSH keys and RDP files,” states Kaspersky. The researchers warn that they’ve also identified a number of extensions that they’ve been unable to identify, which are most likely related to “custom military/government-level encryption tools”.

A second reason the researchers suspect that The Mask has Spanish origins is the method used to infiltrate target computers. The first attack they uncovered involved a ‘spear phishing’ email campaign that included fake links to dozens of popular Spanish-language news websites, as well as international sites like The Guardian, The Washington Post and Time. Once the target clicks on a malicious link, The Mask exploits at least three different backdoors that allows it to infect Windows, OS X and Linux machines.

Being so sophisticated, the most pressing question is where did it come from? The most likely explanation, though extremely difficult to prove, is that The Mask was designed and built by a nation-state.

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files,” said Costin Raiu, the director of Kaspersky’s Global Research and Analysis Team.

“This level of operational security is not normal for cyber-criminal groups.”

However, it’s quite normal when those responsible for building it have the backing of a nation-state. Government-sponsored hackers typically have both money to spend and every reason in the world to avoid detection. Similarly sophisticated malware such as Stuxnet, which caused catastrophic damage to Iran’s nuclear facilities, as well as Duqu – believed to be related to Stuxent – are both believed to be the work of governments.

The Mask was almost certainly sponsored by a nation-state as well, but beyond that fact it’s very difficult to know who might have built it.

Main photo credit: wolfgangfoto via photopin cc. Infographic courtesy of Kaspersky Labs.