New Chinese malware attacks Department of Defense

A new strain of malware called Sykipot is infecting US government access cards, and AlienVault has traced the virus back to China.

Access cards are often used in governmental departments for both physical access as well as access to protected information. As AlienVault explains in a blog post, cyber criminals will always try to be in step with our security measures, even if they are physical ones like a card. Kind of like, if we built it, they will hack. In this case, the Chinese cyber criminals have found a way to bypass a physical card, by attacking the Windows operating system in the card reader.

Sykipot (pronounced sick-ee-pot) was originally found in 2006 as a very simple form of malware, distributed through phishing e-mails. Now, Sykipot is a little more developed, but is still distributed in the same way. Jaime Blasco, a researcher for AlienVault, explained that cyber riminals are distributing e-mais about weapons, and warfare materials to the Department of Defense and other government contractors in an attempt to lure them to open infected PDFs. Once the malware is set loose within the system, it finds the card reader and extracts authentication credentials from a card, as long as the card is physically in the reader.

The information is then sent back to command and control servers. Tracing the malware’s communications, Blasco was able to determine that the US servers that seemed to receive the malware’s messages were really just a proxy for servers in China. Stemming out of one of these command and control centers was an error message coming from one of tools used to create the malware. This message was all in Chinese, which also tipped off the Asian origins.

Specifically, Sykipot is attacking the United States Department of Defense, along with other defense contractors. Though these cyber criminals are able to intercept authentication credentials, physically they cannot enter any of the compromised buildings, as it is not (yet) possible to replicate the physical card.

What has been compromised, if anything, has yet to be released.

Access card photo via Shutterstock