Feb 11 2014

APT The Mask (aka Careto) Targets Secure Shell Keys

Kaspersky Labs recently revealed the details of a sophisticated APT named “The Mask” or by its Spanish name “Careto”. The Mask is known to have infected at least 380 unique victims in over 31 countries. In operation since 2007, the primary targets of this APT are government institutions, diplomatic offices, energy companies, research institutions, private equity firms and political activist organizations. The sophistication and targets of the APT suggest it is the work of nation-state actors as opposed to criminal organizations.

The Mask focuses on stealing 2 types of information: First, all forms of documents and end user communications. Second, it seeks to steal credentials, encryption keys and notably, Secure Shell keys which enable the APT to hop from one system to another within the victim network. It exfiltrates information from the network using encrypted connections.

What are some lessons the Mask teaches us about APTs in general?  

  • No amount of end user training and education will adequately safeguard an institution from APTs. A good end user training program can significantly reduce the success rate of a phishing campaign but it is a known fact that “someone always clicks”.
  • Once in the network, APTs  can be virtually undetectable. It took seven years for The Mask to be unveiled.
  • Perimeter defenses are largely incapable of preventing APTs from entering the network and communicating with their command and control.

The Takeaway

You cannot fully trust the integrity of your endpoints or the communications in and out of your network. However, you should have visibility into those communications. Most current defenses, including next generation firewalls and data loss prevention systems either are incapable of looking inside encrypted channels or the capability is there but not actually used in deployment.  APTs like the Mask rely on encryption for removing data and for hopping across the network. This is one reason they have been so successful in avoiding detection. Full traffic visibility combined with intelligence applied to that visibility, can enable the activities of APTs to be detected and stopped before too much damage is done. A layered defense strategy must include network level visibility that is capable of monitoring encrypted channels. The era of blind trust is ending.

Jonathan Lewis by Jonathan Lewis Director of Product Marketing
Jonathan Lewis serves as director of product marketing at SSH Communications Security where he is focused on raising industry awareness of risk and compliance issues of unmanaged Secure Shell identities. Jonathan has over 15 years of experience in the IT security industry, having held product management and product marketing positions at Nortel, Arbor Networks, Compaq and Digital Equipment Corporation. He has led the launch of numerous security products including IPsec and SSL VPNs, end point security products and firewalls. Jonathan holds a BS and MS from McGill University as well as an MBA from Bentley University.