Earlier this month, Kaspersky Lab researchers disclosed malware code-named Slingshot so stealthy it was able to stay hidden for six years despite having infected at least 100 computers globally. The campaign specifically targeted breached Latvian-made routers, popular in African and Middle Eastern companies, including Afghanistan, Iraq, Kenya, Sudan, Somalia, Turkey and Yemen.
Slingshot’s name comes from text found inside various recovered malware samples. Kaspersky Lab also dubbed it “the spy that came in from the router”. Once a compromised router is taken over by Slingshot, it can run in kernel mode, “giving it complete control over victims’ devices”. Kaspersky Lab said “many of the techniques used by this threat actor are unique and it is extremely effective at stealthy information gathering, hiding its traffic in marked data packets that it can intercept without trace from everyday communications”.
When an administrator logs in to configure the router, its management software downloads and runs the malicious module on that administrator’s computer. How the routers are hacked initially remains unknown. Once the device has been infected, many modules are loaded onto the victim’s device, including two of the biggest: Cahnadr and GollumApp. These two modules support one another in information gathering, persistence and data extraction.
The most purpose of Slingshot appears to be cyber-espionage and extraction of valuable data. It is one of the most advanced attack platforms ever identified, meaning it was likely developed on behalf of a well-resourced nation state. Kaspersky Labs did not speculate or attribute Slingshot to any particular government in its public report, describing it instead as an advanced persistent threat (APT).
On Tuesday of this week, various publications, including Cyberscoop and The American Conservative suggested Slingshot was in fact developed by the U.S. government. Cyberscoop said several current and former U.S. intelligence officials had told them that “Slingshot represents a U.S. military program run out of Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM)”.
The sources told Cyberscoop that the targeted computers would often be located inside Internet cafes in developing countries, which ISIS and al-Qaeda targets frequently use to send and receive messages. The sources spoke anonymously because the program is classified and said they worried that public exposure of Slingshot could threaten soldiers’ lives in the targeted areas, and cause the U.S. to lose access to a valuable surveillance program.
Kaspersky is currently fighting the U.S. government in court after claims its software posed a national security risk owing to the company’s purported ties to the Russian government. Kaspersky denies any wrongdoing. A former intelligence official told Cyberscoop that Kaspersky’s findings had “likely already caused the U.S. to abandon and ‘burn’ some of the digital infrastructure that JSOC was using to manage the surveillance program”.
For the U.S. government, the revelations put them in a challenging position for deploying cyber attacks that potentially harm far more people than only their intended targets. Various U.S. agencies are not making any comment in response to the breaking story; however, further findings according to The American Conservative “suggest that Slingshot had common code with only two other known pieces of software, both malwares, which were attributed to the NSA and CIA, respectively, by analysts”.