Malicious Software Attacks Security Cards Used by Pentagon

From the New York Times: Chinese hackers have deployed a new cyber weapon that is aimed at the Defense Department, the Department of Homeland Security, the State Department and potentially a number of other United States government agencies and businesses, security researchers say.

Researchers at AlienVault, a Campbell, Calif., security company, said on Thursday that they had uncovered a new variant of some malicious software called Sykipot that targets smart cards used by government employees to access restricted servers and networks. Traces of Sykipot malware have been found in cyberattacks dating back to 2006, but AlienVault’s researchers say this is the first time Sykipot has compromised smart cards.

The government uses smart cards to supplement employee passwords, which have proven easy to crack. By cracking smart cards, hackers eliminate the final hurdle between themselves and some of the government’s most sensitive information. Mandiant, a security firm, first outlined smart card weaknesses in a January 2011 report and said it had investigated several attacks in which hackers used smart cards to crack into companies. The latest Sykipot strain offers a look at how hackers are compromising smart cards and indicates who they are after.

Researchers say this strain specifically targets smart card readers that run ActivClient, a program made by ActivIdentity, an identity authentication company based in Fremont, Calif.  ActivIdentity’s smart cards are used by employees at the Defense Department, Department of Homeland Security, Coast Guard, Social Security Administration, Treasury Department and other government agencies. . . .

. . . .Researchers believe Sykipot has its origins in China. Previous Sykipot strains have been traced to command-and-control servers in China, and the researchers said they discovered Chinese characters in a small snippet of code in this latest strain.

Last December, Lockheed Martin drew attention to a previous Sykipot variant that used an Adobe vulnerability to infect victims’ machines. In that case, hackers sent personalized emails to their victims, often from people they knew, persuading them to open a PDF attachment. The attachment then unleashed malicious code onto victims’ machines that gave hackers access to their restricted network and servers. Adobe has since encouraged customers to use updated versions of its software. . . .

Researchers said this new strain of Sykipot also used an e-mail campaign to lure victims into opening an infected PDF attachment. But unlike previous strains, they say this new strain also employs a keystroke logger that steals PIN numbers for smart cards. When a target inserts a smart card into an infected machine, hackers can log in to the server or network using their victim’s smart card credentials and tell the malware where to go and what to steal.

Exactly what Sykipot’s architects have stolen is still not known. But given ActivIdentity’s client list of defense agencies, security researchers say, it is now clear who the target is.

Threats are Out There