Sykipot is not a new Trojan Horse by any means, but the variation found to be attacking Department of Defense smart cards is certainly something that government agencies need to be worried about. United States government agencies, that is. It's doubtful the Chinese government will be too worried about them, considering that the Sykipot-led attacks against these US government agencies would appear to be originating from China itself.

Security specialist AlienVault has uncovered evidence that the attacks might stretch right back as far as March 2011 and have been targeting a number of agencies which use ActivIdentity, or more specifically the smart card readers running ActivClient (the client application of ActivIdentity) and which smart cards are now standard security measures for the US Army, Navy, Air Force as well as the Department of Defense itself. The smart cards are used not only to identify military personnel but civilian employees and contractors for example.

Jaime Blasco, AlienVault's Research Lab Manager, reckons this is the "first report of Sykipot being used to compromise smart cards" although he does admit that a year ago another security vendor wrote about smart card proxy attacks "although the report did not provide specifics on the attack methodologies being used, the term is useful in describing this latest style of attack vector." The research team have apparently so far found evidence of attacks compromising cards running on the Windows Native x509 software which is pretty commonplace, as I understand it, within US government agencies.

Blasco makes the China connection as he has reason to believe that the Sykibot 'swarm' team are Chinese and working to a known 'data shopping list' which includes semiconductor and aerospace technology information. Indeed, the new strain is thought to come from the same Chinese hackers which created an earlier Sykibot version that spammed messages containing promises of information on US drone technology.

Once activated, the Sykibot strain employs keyloggers to harvest PINs for the smart cards in question which allows the malware to act as an authenticated users and therefore access sensitive information under the control of its allegedly Chinese controllers.