On March 9, the leading Russia-based cybersecurity company reported their research on a program it called Slingshot, which used a highly sophisticated approach to infect computers with malware through infected routers. The operation had targeted computers throughout the Middle East and some parts of Africa since at least 2012, and required a lot of money and expertise from its creators. A report by an industry news publication, CyberScoop, claims Slingshot was run by the Special Operations Command (SOCOM).
The report about the program was the biggest part of the Kaspersky Security Analyst Summit (SAS) this month. The firm’s researchers identified an advanced persistent threat (APT) – a term that usually describes a well-organized and trained group of hackers operating on a regular basis and possibly on behalf of a state government – that found a way to compromise various devises through routers. The attack was described as “remarkable and, to the best of our knowledge, unique” by Kaspersky researchers.
The company failed to identify how the routers themselves were infected. But they were used to inject malware into computers. The attack replaced one of the Windows libraries with a malicious one, and then used it to download and install two distinct pieces of malware called Cahnadr and GollumApp, which Kaspersky described as “masterpieces of cyberespionage art.” Combined, the two gave virtually unrestricted access to an attacked computer, harvesting screenshots, key strokes, network traffic, USB connections, clipboard content, and many other things.
The people behind Slingshot also took serious measures to protect their malware from being detected. For example, it can shut down its own components before being exposed by anti-viral software. It also runs its own file system to remain hidden from the computer-operating system, and blocks disc defragmentation to avoid being damaged by the process.
Kaspersky Lab said it has found around 100 victims of Slingshot and its related modules in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Kenya and Yemen accounted for the majority of the cases. Most of the victims were individuals rather than organizations.
The company said they could not attribute the threat to a particular actor, but believed the people behind it to be “highly organized and professional and probably state-sponsored.” Text clues in the code suggested they were “English-speaking”.
The news report quotes unnamed former and current US intelligence officials, who said that Slingshot was an operation of the Joint Special Operations Command (JSOC), a component of SOCOM. Kaspersky Lab “burned” the program, which is believed to have been an anti-terrorist operation, leaving the American military without a valuable tool and potentially putting American lives at risk, the officials claimed.