Sykipot attacks U.S PKI infrastructures based on smart cards

In these hours on the web is turning the news of a cyber attack performed by a group of Chinese hackers against some U.S. Government Agencies. Once again, the weapon used against the strategic objectives is a cyber weapon, in particular it has been used a new version of the trojan Sykipot.

Chinese hackers have deployed trojan that is aiming the Defense Department, the Department of Homeland Security, the State Department and potentially a other United States government agencies and businesses. The trojan is targeting smart card readers produced by the company ActivIdentity that provides authentication software.

The attacks originate have been originated by Chinese servers and for sure they have targeted the defense sector to steal sensible information. The attack has been conceived to exploit the identity management processes used in governative environments for the physical and logical access management.

What is really interesting is the process followed by the creator of the original trojan detected in December, the original versions of the Sykipot malware was a Trojan that opened a backdoor into the infected PCs to grab documents from high level offcials within target organizations and businesses.  This time the malware has been packaged to compromise smart card readers running ActivClient, the client application of ActivIdentity. ActivIdentity ActivClient is the market-leading security application that allows customers to use smart cards and USB tokens as identity management devices inside a smart card-based PKI authentication for Windows login, VPN, Web Login, Remote Sessions, as well as data security, digital signature and secure email. This solution is largely used at the DoD and in number of other US government agencies.

We are dealing with a cyber weapon specifically packaged for a specific target and that makes use of modules available in instances of malware known to researchers. A trend, that does not differ in philosophy, observed in the case of Duqu and Stuxnet. This is the first report of Sykipot being used to compromise smart cards, the authentication devices privileged for identy management systems of the American militia. Hacker have used a version of Sykipot that dates back to March of last year already used for several attacks executed in the past year.The spreading vector is an email campaign addressed to specific targets. Let consider that the malware has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007.

The attacks compromise smart card readers running in Windows O.s, in partiulary the native x509 modules according what has been reported by US government.

How does the trojan work? It uses a keylogger to steal PINs for the smartcards during their usage. When a card is inserted into the reader, the trojan acts, as authenticated user, is free to access sensitive and protected information. The stoled data are send back to the attacker that is able to drive remotely the operations.

The event is undoubtedly of the utmost gravity and the attack with this method could compromise the whole PKI architecture on which are based the logical and physical access management.

 

Pierluigi Paganini

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 hour ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.