Kaspersky security researchers just revealed their discovery of a cyberespionage threat they say could be the most advanced in the world. Immensely powerful and hard to detect, it's been active since at least 2007, targeting governments, embassies, and energy companies. And nobody knows where it came from.
Dubbed "Careto," after the Spanish slang for "mask" or "ugly face" that appears in some of its code, the virus relies on spearphishing emails containing malicious links disguised as subdomains of well-known news websites including The Washington Post and The Guardian. After infection, the malicious links just redirect to the benign sites referenced in the email to cover up the tracks.
Once downloaded, Careto collects a huge variety of documents from the infected system, with an eye toward sensitive or specialized data: encryption keys, VPN configurations, SSH keys and whatnot. And it doesn't stop there: Kaspersky says "there are also several unknown extensions being monitored [by the malware] that we have not been able to identify and could be related to custom military/government-level encryption tools." From a security standpoint, infection is disastrous: Careto can access network traffic and record keystrokes and Skype conversations, among many other capabilities.
Careto's complexity and high level of refinement indicate it wasn't thrown together by a basement hacker. It's one of the most advanced threats Kasperksy has ever seen, besting even the famously cryptic Duqu Trojan. Careto hides itself inside older versions of Kaspersky security software, making the malware invisible to routine system scans, and it's capable of attacking Windows, Linux, Mac, and possibly Android and iOS. The malware is highly refined, and managed with a level of security Kaspersky says is "not normal for cybercriminal groups," leading them to believe it could be a state-sponsored attack.