U.S. drone

Chinese using malware to attack US AlienVault says

AlienVault says there is evidence of Chinese-originated attacks against the US using a new strain of Sykipot malware.

Unified Security Information and Event Management (SIEM) solutions specialist AlienVault says the attacks have targeted the US Department of Defense (DoD), using the malware to compromise DoD smart cards.

One of the original versions of Sykipot was a trojan horse application that opened a backdoor into the infected PCs.

This latest generation of diversified attacks may have been occurring as far back as March of last year, said AlienVault's Lab manager Jaime Blasco.

“This is the first report of Sykipot being used to compromise smart cards, and this latest version of the malware has been designed specifically to take advantage of smart card readers running ActivClient - the client application of ActivIdentity, whose smart cards are standardised at the DoD and a number of other US government agencies,” he said.

“The smart cards are an important facet of security for the Department of Defense – which manages the three main branches of the military in the US, the Departments of the Army, the Navy and the Air Force – and use the cards as a standard means of identifying active duty military staff, selected reserve personnel, civilian employees, and eligible contractor staff,” he added.

Blasco's team have seen attacks that compromise smart card readers running Windows Native x509 software, which is reportedly in commonplace use amongst a number of US government and allied agencies.

This new strain is thought to have originated from the same Chinese authors that created a version of Sykipot late last year that piped out a variety of spammed messages with the lure of information on the next-generation unmanned `drones' developed by the United States Air Force.

In AlienVault's malware investigation last year, Blasco suggested that the team behind the Sykibot swarm were Chinese and working with an information shopping list that included semiconductor and aerospace technology, amongst other areas.

Cybercriminals this time are using a version of Sykipot that dates back to March last year, which has been used in dozens of other attacks executed in the past year, he said.

As with previous Sykipot strains, Blasco added that the attackers use an email campaign to get specific targets to click on a link and deposit the Sykipot malware onto their machines.

“From there - unlike previous strains - the malware then uses a keylogger to steal PINs for the cards, he said.

"When a card is inserted into the reader, the malware acts as the authenticated user and can access sensitive information.

"The malware is then controlled by the attackers and then told what – and when - to steal the appropriate data.

“It’s worth noting that, back in January 2011 – just ahead of this new strain of Sykipot being released – our colleagues at another security vendor called this type of a attack `smart card proxies’ in one of their reports.

"Although the report did not provide specifics on the attack methodologies being used, the term is useful in describing this latest style of attack vector," he added.

Further information:

See more on AlienVault

See more on the DoD smart card proxy attacks

Read more about last year's Sykipot spam attack

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close