AlienVault found evidence of Chinese-originated attacks against the US government agencies including the US Department of Defense (DoD), which use a new strain of the Sykipot malware to compromise DoD smart cards.
One of the original versions of Sykipot was a Trojan horse application that opened a backdoor into the infected PCs. According to Jaime Blasco, AlienVault’s Lab manager, this latest generation of diversified attacks may have been occurring as far back as March of last year, if not longer.
“This is the first report of Sykipot being used to compromise smart cards, and this latest version of the malware has been designed specifically to take advantage of smart card readers running ActivClient – the client application of ActivIdentity, whose smart cards are standardized at the DoD and a number of other US government agencies,” he said.
“The smart cards are an important facet of security for the Department of Defense – which manages the three main branches of the military in the US, the Departments of the Army, the Navy and the Air Force – and use the cards as a standard means of identifying active duty military staff, selected reserve personnel, civilian employees, and eligible contractor staff,” he added.
So far, Blasco and his team have seen attacks that compromise smart card readers running Windows Native x509 software, which is reportedly in commonplace use amongst a number of US government and allied agencies.
This new strain, he says, is thought to have originated from the same Chinese authors that created a version of Sykipot late last year that piped out a variety of spammed messages with the lure of information on the next-generation unmanned ‘drones’ developed by the United States Air Force.
In his malware investigation of late last year, Blasco suggested that the team behind the Sykibot swarm were Chinese and working with an information shopping list that included semiconductor and aerospace technology, amongst other areas.
This time around, he explained, cybercriminals are using a version of Sykipot that dates all the way back to March of last year, and has been used in dozens of other attacks executed in the past year.
As with previous Sykipot strains, the attackers use an email campaign to get specific targets to click on a link and deposit the Sykipot malware onto their machines.
“From there – unlike previous strains – the malware then uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware acts as the authenticated user and can access sensitive information. The malware is then controlled by the attackers and then told what – and when – to steal the appropriate data,” he said.
“It’s worth noting that, back in January 2011 – just ahead of this new strain of Sykipot being released – our colleagues at another security vendor called this type of a attack `smart card proxies’ in one of their reports. Although the report did not provide specifics on the attack methodologies being used, the term is useful in describing this latest style of attack vector,” he added.