updated 1/13/2012 9:48:58 AM ET 2012-01-13T14:48:58

Chinese cybercriminals have redesigned a notorious piece of malware to steal confidential data from the U.S. departments of Defense and Homeland Security and other government agencies and businesses, security researchers say.

Researchers at the security firm AlienVault said they recently discovered a new variant of the Sykipot malware that originates in China and is able to "effectively hijack" smart cards used by government employees to access restricted servers and sensitive computer networks.

The new Sykipot, AlientVault researchers wrote in a blog posting yesterday (Jan. 12), spreads via spear-phishing attacks — orchestrated phishing scams aimed at a specific target and including pertinent data that tricks the reader into believing the email is legitimate. The emails, from servers in China, come with an attached PDF that, when opened, automatically deposits Sykipot onto their machines.

Another RSA breach?

Once Sykipot embeds itself on a computer, it begins a series of communications with its remote operators that end with the attackers having the same, privileged access they'd get if they were using the machine themselves.

"Unlike previous strains, the malware uses a keylogger to steal PINs for the [smart] cards," AlienVault wrote. "When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information."

A similar chain of events led to the devastating hack on RSA, the maker of SecurID tokens. That breach, in March 2011, netted cybercriminals the secret RSA encryption algorithm, which they then used to tap into the networks of major defense contractors Northrop Grumman and Lockheed Martin.

29 million potential victims

This new strain of Sykipot — the malware has been around since 2007 — goes after smart card readers that run ActivClient, a program made by the identity-authentication company ActivIdentity. ActivIdentity's smart cards are used by more than 2,500 clients and 29 million individuals, including employees of the departments of Defense, Treasury and Homeland Security and the Coast Guard, as well as the French Ministry of Finance and businesses including Nissan and Monsanto, the New York Times reported.

An ActivIdentity representative had no comment, and told SecurityNewsDaily yesterday (Jan. 12) that the employees who could address the issue were unavailable.

Smart cards infected with Sykipot can be remotely controlled to harvest information as long as they remain in computers, meaning their legitimate owners must be physically present.

This makes unauthorized activity "that much more difficult to discern from legitimate usage," the researchers wrote.

AlienVault said this variant of Sykipot has been around since March 2011, and was used in dozens of cyberattacks last year.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments