Sykipot attacks U.S PKI infrastructures based on smart cards

Pierluigi Paganini January 14, 2012

In these hours on the web is turning the news of a cyber attack performed by a group of Chinese hackers against some U.S. Government Agencies. Once again, the weapon used against the strategic objectives is a cyber weapon, in particular it has been used a new version of the trojan Sykipot.

Chinese hackers have deployed trojan that is aiming the Defense Department, the Department of Homeland Security, the State Department and potentially a other United States government agencies and businesses. The trojan is targeting smart card readers produced by the company ActivIdentity that provides authentication software.

The attacks originate have been originated by Chinese servers and for sure they have targeted the defense sector to steal sensible information. The attack has been conceived to exploit the identity management processes used in governative environments for the physical and logical access management.

What is really interesting is the process followed by the creator of the original trojan detected in December, the original versions of the Sykipot malware was a Trojan that opened a backdoor into the infected PCs to grab documents from high level offcials within target organizations and businesses.  This time the malware has been packaged to compromise smart card readers running ActivClient, the client application of ActivIdentity. ActivIdentity ActivClient is the market-leading security application that allows customers to use smart cards and USB tokens as identity management devices inside a smart card-based PKI authentication for Windows login, VPN, Web Login, Remote Sessions, as well as data security, digital signature and secure email. This solution is largely used at the DoD and in number of other US government agencies.

We are dealing with a cyber weapon specifically packaged for a specific target and that makes use of modules available in instances of malware known to researchers. A trend, that does not differ in philosophy, observed in the case of Duqu and Stuxnet. This is the first report of Sykipot being used to compromise smart cards, the authentication devices privileged for identy management systems of the American militia. Hacker have used a version of Sykipot that dates back to March of last year already used for several attacks executed in the past year.The spreading vector is an email campaign addressed to specific targets. Let consider that the malware has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007.

The attacks compromise smart card readers running in Windows O.s, in partiulary the native x509 modules according what has been reported by US government.

How does the trojan work? It uses a keylogger to steal PINs for the smartcards during their usage. When a card is inserted into the reader, the trojan acts, as authenticated user, is free to access sensitive and protected information. The stoled data are send back to the attacker that is able to drive remotely the operations.

The event is undoubtedly of the utmost gravity and the attack with this method could compromise the whole PKI architecture on which are based the logical and physical access management.


Pierluigi Paganini

you might also like

leave a comment