Security researchers uncover more cyber spying

Cyber warfare continues to be a controversial topic, but security researchers continue to uncover evidence of covert activities that involve stealing military-related information.

The latest evidence of this kind of activity has been highlighted by researchers at AlienVault Labs, who say China-based hackers have been targeting US federal agencies and contractors for months.

The attackers, they say, have been sending emails with a malicious attachment or link, sometimes using a zero-day exploit, to key employees of different organisations.

“In most of the campaigns the malware dropped displays some document or media attractive to the victim,” wrote Jaime Blasco, manager of AlienVault Labs in a  blog post.

One of the key purposes of the malware, known as Sykipot, has been to steal documents related to the Pentagon’s drone strategy. For this reason, the attackers used email addresses from US military and other government organisations.

After an analysis of the different domains used by Sykipot and the command-and-control (C&C) headers and data, the researchers discovered that they were using hacked servers mainly in the US to mask the real C&C server.

The say the attackers used well known public exploits to hack into US based servers and then install software to proxy the connections between the infected systems and the real C&C server.

“We shouldn’t jump to assumptions, but whoever is behind Sykipot is massively collecting information from targeted victims that covers dozens of industries,” wrote Blasco.

However, he goes on to detail how his research team identified at least six Chinese IP addresses that are used to proxy or host the command and control (C&C) servers and a tool that the Sykipot authors use to package and create campaigns that contains some Chinese message errors.

The webserver used in the C&C servers is mainly used by those who speak Chinese, most of the domains used on these campaigns are registered on a Chinese domain, and one of the tools used to redirect the traffic from the hacked servers is related to a tool that appears to originate in China.

The researchers have since discovered that the attackers they have been investigating are also using malware that is capable of overriding Pentagon smart card credentials to access protected data, according to US reports.

The AlienVault research findings are reminiscent of Operation Shady Rat exposed by security firm McAfee five months ago that involved 72 compromised organisations, including military contractors.


Enhanced by Zemanta