Sykipot-wielding attackers now targeting US civil aviation firms

The Sykipot backdoor Trojan is not a new threat. First detected over six years ago, its existence and use has been tied almost exclusively with the cyber espionage activities of a group or groups of attackers that are likely to be based in China.

The malware itself hasn’t changed much throughout the years, and its goal is simple and always the same – once it gains access to a system, it establishes an SSL connection to a C&C server from which additional malware is downloaded, then installed and run on the victim’s machine.

It has mostly been used in campaigns targeting the US defense industry and government contractors, along with some computer hardware manufacturers and telecoms. But in this last campaign spotted by Trend Macro researchers, the attackers have unexpectedly focused on companies working in the US civil aviation sector.

The Sykipot attackers are known for their use of zero-day exploits to deliver the backdoor to the victims, and that, along with their persistence and specific targeting, is another clue that points to their nature as state-sponsored hackers.

The researchers are warning US-based entities – and especially those in the civilian sectors that are important to the country’s infrastructure – to be on the lookout for similar campaigns, urging them to keep their systems updated and securely configured or adding virtual patching (or virtual shielding) solutions to their defenses if security upgrades are not possible for whatever reason.

“Since this attack typically arrives via email messages, it is important for organizations to implement an good social engineering program. This can help organizations, particularly employees, managers etc., to be wary of email messages that may carry malware related to campaigns like Sykipot,” they pointed out.