Sykipot is not a new Trojan Horse by any means, but the variation found to be attacking Department of Defense smart cards is certainly something that government agencies need to be worried about. United States government agencies, that is. It's doubtful the Chinese government will be too worried about them, considering that the Sykipot-led attacks against these US government agencies would appear to be originating from China itself.

Security specialist AlienVault has uncovered evidence that the attacks might stretch right back as far as March 2011 and have been targeting a number of agencies which use ActivIdentity, or more specifically the smart card readers running ActivClient (the client application of ActivIdentity) and which smart cards are now standard security measures for the US Army, Navy, Air Force as well as the Department of Defense itself. The smart cards are used not only to identify military personnel but civilian employees and contractors for example.

Jaime Blasco, AlienVault's Research Lab Manager, reckons this is the "first report of Sykipot being used to compromise smart cards" although he does admit that a year ago another security vendor wrote about smart card proxy attacks "although the report did not provide specifics on the attack methodologies being used, the term is useful in describing this latest style of attack vector." The research team have apparently so far found evidence of attacks compromising cards running on the Windows Native x509 software which is pretty commonplace, as I understand it, within US government agencies.

Blasco makes the China connection as he has reason to believe that the Sykibot 'swarm' team are Chinese and working to a known 'data shopping list' which includes semiconductor and aerospace technology information. Indeed, the new strain is thought to come from the same Chinese hackers which created an earlier Sykibot version that spammed messages containing promises of information on US drone technology.

Once activated, the Sykibot strain employs keyloggers to harvest PINs for the smart cards in question which allows the malware to act as an authenticated users and therefore access sensitive information under the control of its allegedly Chinese controllers.

Edited 4 Years Ago by happygeek: n/a

Attachments alienvault.jpg 9.08 KB

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Sounds like something out of Neal Stephenson's REAMDE.
Are the crackers to be admired or despised and are the manufacturers of the card / security software to be pitied or slapped about a bit?