New Sykipot variant can steal PINs from DOD smart cards

A newly discovered variant of the Sykipot Trojan, which has been used for years in attacks originating from servers in China, can be used to compromise the Defense Department’s Common Access Cards, according to research by Alienvault Labs.

The variant, which Alienvault says appears to have been around since March 2011, arrives via phishing attacks and uses a keylogger to “effectively hijack DOD and Windows smart cards,” Alienvault’s Jaime Blasco wrote in a blog post.

The variant has turned up in dozens of attack samples over the past year, Blasco writes.


Related stories:

‘Shady RAT’ report unveils massive cyber espionage campaign

Report: China the source of RSA hack, hundreds of others also hit


The spear-phishing attacks are designed to get their targets to open an Adobe PDF attachment, which, taking advantage of an Adobe zero-day vulnerability, then can load Sykipot onto their computers, according to Alienvault’s research.

Using a keylogger, the Sykipot variant can then steal PINs from cardholders signing in, and subsequently act as the authenticated user to steal information for as long as the card remains in the smart-card reader, Alienvault said. The malware also lists the public-key encryption certificates stored on the system.

“So the modus operandi of the attackers is listing the certificates present on the victimʼs computer … stealing the PIN using the keylogger module and then [using] this information to log onto remote resources protected with certificates/smart cards,” Alienvault said.

“We have tested the malware and, in fact, it is working,” Blasco told Dark Reading. “It’s likely they got inside protected systems and gained access using this malware.”

Sykipot, a back-door access Trojan, has been used in phishing attacks since 2007, often against defense contractors. What’s new in this variant is the keylogger, Alienvault said. What’s not new is that Sykipot takes advantage of Adobe vulnerabilities, ThreatPost has noted.

In December 2011, Alienvault reported on a Sykipot attack that appeared to target the military’s fleets of unmanned aerial vehicles.

The attack, which was discovered after defense contractor Lockheed Martin called attention to it, also exploited a zero-day vulnerability in Adobe Reader. As with other Sykipot attacks, it was traced to a command-and-control server in China, although it masked its tracks through hacked servers in the United States.

Alienvault researchers say they believe one group of attackers is behind both attacks, Dark Reading reported. “We believe it’s the same group of attackers,” Blasco said. “They have been using the same techniques, even sharing some parts of the code in other attacks.”

Common Access Cards have been used in DOD as a two-factor authentication measure for years. As of 2008, the department had issued more than 17 million of them, to military and civilian personnel, as well as to contractors.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Wed, Jan 18, 2012

It's not really a flaw in two factor authentication, nor a way to "steal PINs from DOD smart cards". A keylogger isn't targetting smart cards, it's just a keylogger. They've been around as long as computers have. As for the two factor authentication, this attack only works while it's in control of a computer that an operator has inserted the smart card. A compromised computer with credentials is a compromised computer with credentials, regardless of how many factors are part of the authentication. Once TrustedGuy logs in, he is trusted. When he's not using stuff that needs the credentials, the smart card shouldn't be in the machine. It's like the episode of Seinfeld: "Because I spent my money on the Klapco D29! It's the most unpenetrable lock in the market today! It has only one design flaw. The door... must be closed!"

Tue, Jan 17, 2012

so much for two factor authentication...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above