Chinese hackers compromised U.S. military access cards
Jan. 14, 2012
According to researchers at security tools firm AlienVault, a new variant of the Sykipot Trojan has been used to hack into and disable the U.S. Department of Defense-sanctioned smart cards used to authorise network and building access at many U.S. government agencies.
Overall, smart cards are a standard means of granting active duty military staff, selected reserve personnel, civilian employees and a few eligible contractors access to intranets at the U.S. Army, Navy and Air Force facilities.
They can also be used to get into buildings or, when used in conjunction with a static password, to access specific networks. Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to illegally access classified military networks.
An adapted version of the Trojan virus targets personal computers attached to smart card readers running ActivClient, the client application of ActivIdentity, in what's been described as a smart card proxy attack.
The Sykipot Trojan was created in November 2008 and featured in a number of industrial espionage-style attacks. Researchers at AlienVault captured an adapted version of the malware, specifically designed to circumvent authentication technology supplied by ActivIdentity, in a 'honeypot' about two weeks ago.
Subsequent analysis suggests that hackers added a smart card module to existing malware around March 2011. AlienVault says that the new strain of Sykipot Trojan was developed by the same Chinese authors that created earlier versions of the malware, first seen around three years ago. Previous builds of the Trojan were promoted by spammed messages that posed as information about the next-generation of U.S. Air Force drones.
But in reality, the message pointed at drive-by-download sites that featured the Sykipot Trojan as a payload and took advantage of various IE and Adobe Reader security flaws.
The malware featured in targeted attacks against aerospace technology firms that were ultimately designed to extract commercially sensitive information from compromised systems.
The latest run of attacks also features spear phishing emails that attempt to trick marks into clicking on a link that deposits the Sykipot malware onto their machines. This time around, the malware uses a key-logger to steal PINs associated with smart cards.
Once attackers have authentication codes and associated PINs, they gain the same level of trusted access to sensitive networks as the user whose credentials they have stolen.
The cyber-criminals behind the attack are using another version of the Sykipot virus first discovered in March 2011 that has featured in dozens of attacks since, according to AlienVault.
Jaime Blasco, AlienVault’s lab manager, says that Chinese messages in embedded code made exclusive use of the software in China and provide evidence that Chinese hackers are ultimately behind the attack. Blasco added that the use of dynamic tokens that offer two-factor authentication would thwart this particular line of attack.
AlienVault supplies security event logging technology and does not compete with ActivIdentity, however. Blasco said that it had not supplied either ActivIdentity nor the U.S. DoD with malware samples or notification of its research, which was first made public with an article in the New York Times on January 12.
ActivIdentity's smart cards are standard issue at the DoD and a number of other U.S. government agencies. Other users include Monsanto, BNP Paribas and Air France.
In response to AlienVault's newest research, ActivIdentity said in a statement "We are aware of the recent reports that purportedly identified a new attack method that could hijack smart card-based certificates."
It then went on to say "We take these reports very seriously and are working diligently to investigate the potential threat. At this time, we are confident that the purported threat poses no immediate risk to our customers."
In other internet security news
The control of U.S. military spy drones has shifted from Windows to Linux following an embarrassing malware and virus infection on the Windows system.
Ground control systems at Creech Air Force Base in Nevada, which commands the killer unmanned drone aircraft, became largely infected with a nasty virus last September. In a statement at the time, the Air Force dismissed the virus as a mild nuisance and said it posed no threat to the operation of Reaper drones.
However, the intrusion was nonetheless treated seriously. "The ground system is separate from the flight control system Air Force pilots use daily to fly the aircraft remotely. The ability of the pilots to safely fly these unmanned aircraft remained secure throughout the incident," it said.
The initial discovery of the virus was nonetheless hugely embarrassing for the Air Force, and had some top lieutenants at the Pentagone asking some very pointed questions.
The credential-stealing malware made its way from a portable hard drive onto ground systems, which control the drones' various weapons and surveillance functions. Portable disks are then used to load map updates and transfer mission-critical videos from one computer to another, Defense News added.
"The malware was detected on a standalone mission support network using a Windows-based operating system," a U.S. Air Force statement at the time explained.
"The malware in question is a credential stealer, not a keylogger, found routinely on computer networks and is considered more of a nuisance than an operational threat. It is not designed to transmit data or video, nor is it designed to corrupt data, files or programs on the infected computer. Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach."
Unmannded drone aircraft units were advised to stop using the removable drives to prevent another outbreak. Behind the scenes, other changes also appear to have been made-- screenshots of drone control computers uploaded by security researcher Mikko Hypponen suggest that at least some of the consoles have been migrated from Microsoft Windows to the Linux operating system.
Hypponen says "If I would need to select between Windows XP and a Linux based system while building a military system, I wouldn't doubt a second which one I would take-- Linux."
In other internet security news
Computer hackers were successful in getting into Amazon's proxy-based Silk browser compiled into other Android versions of its Kindle Fire tablet, allowing anyone to take advantage of its supposedly secure Amazon Cloud Service used by some enterprises.
This hacking feat requires a rooted device, and some fiddling with so-called APK files, but it does share the Silk browser, nevertheless, and that's what so troubling about this incident. XDA-Developers member TyHi initially hacked the Silk browser into the popular CyanogenMod Android distribution, but others have tested it as well on a wide variety of builds and devices, and they were also successful at breaking into the Amazon Cloud.
Overall, Silk offloads most of the rendering of web pages onto Amazon's cloud service, improving performance and reducing the internet bandwidth required, but it's far from alone in taking that approach.
SkyFire and Bolt work almost the same way, as does Opera's Turbo option, and Opera has even gone on record promising not to misuse the accumulated data.
So the only reason for wanting to run Silk would seem to be a desire to let Amazon know more about one's browsing habits, but the company hasn't accumulated enough information on everything one buys yet, so this could still be a bit early to predict what the outcome will be in the next few months.
So the hack was just to demonstrate what could be done, but for most users, Silk still has little to offer beyond what's already available, with rather less effort.
In other internet security news
Fujitsu said two days ago that it has been commissioned to develop so-called seek and destroy malware, reportedly designed to accurately track and then totally disable the sources of most cyber-attacks that have been on the increase lately.
The cyber-weapon is the result of a three-year $2.3 million project that also involved developing tools capable of monitoring and analyzing the sources of hacking attacks. Deploying the technology would involve clearing both practical and legislative hurdles.
Tracing the exact source of cyber-attacks is inherently difficult, mainly because attackers routinely hide behind botnets and anonymous proxies to launch their attacks, such as denial of service (DoS) assaults. The malware reportedly developed by Fujitsu is designed to trace connections back to their controlling hosts before totally disabling them.
Getting this right is a trivial process and the potential for collateral damage, even before hackers develop countermeasures. Another issue is that, if the tool is ever released, it could fall into the hands of miscreants who might reverse-engineer it before adapting it for their own nefarious purposes.
The malware has reportedly been tested in a "closed network environment". The tool reportedly has the greatest potential in tracking back the sources of DoS attacks. Whether it's any good at the much more difficult process of picking out stealthy industrial espionage-style information-stealing attempts still remains unclear, however.
Currently, Japanese law prohibits offensive responses in retaliation to cyber-attacks, another potential issue but one that's easier to resolve perhaps by updating current laws. The current prohibition has more to do with post-Second World War agreements that restrict Japanese military capabilities than local laws against the creation of computer viruses, however.
Japan is a prime target for cyber-attacks and suffered numerous assaults in 2011. Reported victims include Japan’s parliament and industrial giant Mitsubishi.
The Defense Ministry's Technical Research and Development Institute is understood to have outsourced the development of the tool to Fujitsu. A Defense Ministry official played down talks of offensive applications for the software and said that it was designed for applications such as tracing the source of cyber-attacks against Japanese Self-Defense Force systems.
But Professor Motohiro Tsuchiya of Keio University, a member of a government panel on information security policy, said that Japan ought to accelerate cyber-weapons development.
Fujitsu declined to comment about the supposed cyber-weapon, citing client confidentiality.
You can link to the Internet Security web site as much as you like.