Chinese Hackers Reportedly Using Sykipot Variant to Attack Defense Department Smart Cards

Security firm Alienvault says that a new variant of the Sykipot family of malware is targeting ActivIdentity’s ActivClient, which is used by the U.S. Department of Defense as a secure means of authentication. Aside from the examination of a sample of the malware itself, it’s unknown what, if any, data the spear-phishing campaign used to launch the attack has made off with.

ActivClient is a smart card solution, which the DoD uses to comply with GSC-IS 2.1 and the General Services Administration’s BSI. Based on what Alienvault has seen, the latest Sykipot variant was compiled with “the purpose of obtaining information from the defense sector: the same sector that makes extensive use of PC/SC x509 Smartcards for authentication.”

The latest attack starts with a Phishing email, delivered to targeted employees, and leverages a recently patched Adobe vulnerability to install the malicious code itself.

“Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center,” Alienvault explained.

“So, the modus operandi of the attackers is listing the certificates present on the victim’s computer included the smartcards, stealing the PIN using the keylogger module and then use this information to log onto remote resources protected with certificates/smartcards.”

This attack is just the latest method being used to circumvent multi-factor authentication, the researchers note. Once the malware is on the system, it can capture the PIN used by the smart card, bind it to the certificate installed on the client machine, and as long as the card itself is in the reader, the attacker can access the protected resources.

The Adobe vulnerability targeted by the Sykipot malware was patched on January 10. Systems running Adobe Reader X (10.1.1) or lower are impacted by the remote code execution flaw.

ActivIdentity was acquired by HID Global in a deal that was completed in December 2010.

SecutityWeek contacted ActivIdenity to get feedback on the situation. “We are aware of the recent reports that purportedly identified a new attack method that could hijack smart card-based certificates,” Jean-Luc Azou, Senior Product Manager at ActivIdentity told SecurityWeek. “We take these reports very seriously and are working diligently to investigate the potential threat.”

“Our initial assessment is that this potential vulnerability is completely unrelated to ActivIdentity ActivClient software,” Azou added. “Nevertheless, it is possible that unauthorized persons may eventually be able to access company IT networks should personal computers become compromised with malware. We therefore urge our customers to deploy ActivIdentity solutions and adhere to best practice security policies and procedures.”