Researchers at security firm Kaspersky on Friday revealed a long-running hacking campaign, which they call "Slingshot," that they believe planted spyware on more than a hundred targets in 11 countries, mostly in Kenya and Yemen.
BOTH THE big corporate kind and the small one gathering dust in the corner
of your home, have long made an attractive target for hackers. They're always on and connected,
often full of unpatched security
and offer a convenient chokepoint for eavesdropping on all the data you pipe
out to the internet. Now security researchers have found a broad, apparently
state-sponsored hacking operation that goes a step further, using hacked
routers as a foothold to drop highly sophisticated spyware even deeper inside a
network, onto the computers that connect to those compromised internet access
at security firm Kaspersky on Friday revealed a long-running hacking campaign,
which they call "Slingshot," that they believe planted spyware on
more than a hundred targets in 11 countries, mostly in Kenya and Yemen. The
hackers gained access to the deepest level of victim computers' operating
system, known as the kernel, taking full control of target machines. And while
Kaspersky's researchers haven't yet determined how the spyware initially
infected the majority of those targets, in some cases the malicious code had
been installed via small-business-grade routers sold by the Latvian firm MikroTik,
which the Slingshot hackers had compromised.
previous router-hacking campaigns that have used routers themselves as
eavesdropping points—or the far more common home router hacks that use them as
fodder for distributed-denial-of-service
at taking down websites—the Slingshot hackers appear to have instead exploited
routers' position as a little-scrutinized foothold that can spread infections
to sensitive computers within a network, allowing deeper access to spies.
Infecting a router at a business or coffee shop, for instance, would then
potentially give access to a broad range of users.
quite an overlooked place," says Kaspersky researcher Vicente Diaz.
"If someone is performing a security check of an important person, the
router is probably the last thing they’ll check... It’s quite easy for an
attacker to infect hundreds of these routers, and then you have an infection
inside their internal network without much suspicion."
research director Costin Raiu offered one theory as to Slingshot's targets:
Internet cafes. MikroTik routers are particularly popular in the developing
world, where internet cafes remain common. And while Kaspersky detected the
campaign's spyware on machines using consumer-grade Kaspersky software, the
routers it targeted were designed for networks of dozens of machines.
"They're using home user licenses, but who has 30 computers at home?"
Raiu says. "Maybe not all are internet cafes, but some are."
Slingshot campaign, which Kaspersky believes persisted undetected for the last
six years, exploits MikroTik's "Winbox" software, which is designed
to run on the user's computer to allow them to connect to and configure the
router, and in the process downloads a collection of dynamic link library, or
.dll, files from the router to the user's machine. When infected with
Slingshot's malware, a router includes a rogue .dll in that download that
transfers to the victim's machine when they connect to the network device.
serves as the foothold on the target computer, and then itself downloads a
collection of spyware modules onto the target PC. Several of those modules
function, like most programs, in normal "user" mode. But another,
known as Cahnadr, runs with deeper kernel access. Kaspersky describes that
kernel spyware as the "main orchestrator" of Slingshot's multiple PC
infections. Together, the spyware modules have the ability to collect
screenshots, read information from open windows, read the contents of the
computer's hard drive and any peripherals, monitor the local network, and log
keystrokes and passwords.
Raiu speculates that perhaps Slingshot would use the router attack to infect an
internet cafe administrator's machine and then use that access to spread to the
PCs it offered to customers. "It’s quite elegant, I think," he added.
still presents plenty of unanswered questions. Kaspersky doesn't actually know
if routers served as the initial point of infection for many of the Slingshot
attacks. It also concedes that it’s not exactly sure how the initial infection
of the MikroTik routers took place in the cases where they were used, though it
points to one MikroTik router hacking technique mentioned last March in WikiLeaks'
Vault7 collection of CIA hacking tools known as ChimayRed.
responded to that leak in a statement at
the timeby pointing
out that the technique didn't work in more recent versions of its software.
When WIRED asked MikroTik about Kaspersky's research, the company pointed out
that the ChimayRed attack also required the router's firewall to be disabled,
which would otherwise be on by default. "This did not affect many
devices," a MikroTik spokesperson wrote in an email to WIRED. "Only
in rare cases would somebody misconfigure their device."
for its part, emphasized in its blog post on Slingshot that it hasn't confirmed
whether it was the ChimayRed exploit or some other vulnerability that hackers
used to target MikroTik's routers. But they do note that the latest version of
MikroTik routers don’t install any software on the user’s PC, removing
Slingshot’s path to infect its target computers.
As murky as
Slingshot's penetration technique may be, the geopolitics behind it may be even
thornier. Kaspersky says it's not able to determine who ran the cyberespionage
campaign. But they note that its sophistication suggests that it's the work of
a government, and that textual clues in the malware's code suggest
English-speaking developers. Aside from Yemen and Kenya, Kaspersky also found
targets in Iraq, Afghanistan, Somalia, Libya, Congo, Turkey, Jordan and
that—particularly just how many of those countries have seen active US military
operations—suggests that Kaspersky, a Russian firm often accused of ties to Kremlin
intelligence agencies whose
software is now banned from US government networks, might be outing a secret
hacking campaign carried out by the US government, or one of its
"Five-Eyes" allies of English-speaking intelligence partners.
Slingshot could also be the work of French, Israeli, or even Russian
intelligence services seeking to keep tabs on terrorism hotspots. Jake
Williams, a former NSA staffer and now the founder of Rendition Infosec, argues
that nothing in Kaspersky's findings strongly indicate the nationality of the
Slingshot hackers, noting that some of their techniques resemble those used by
the Russian state-sponsored hacker group Turla and Russian crime networks.
"Without more research, the attribution on this is really weak,"
Williams says. "If it was Five-Eyes and Kaspersky outed the group, I don't
really see an issue there. They are doing what they do: exposing
[state-sponsored hacking] groups."1
for its part, insists that it doesn't know who's responsible for the Slingshot
campaign, and seeks to protect its customers. "Our golden rule is we
detect malware and it doesn’t matter where it comes from," says Kaspersky
researcher Alexei Shulmin.
of who’s behind the attack, the hackers may have already been forced to develop
new intrusion techniques, now that MikroTik has removed the feature they had
exploited. But Kaspersky warns that the spyware campaign nonetheless serves as
a warning that sophisticated state-sponsored hackers aren’t just aiming at
traditional infection points like PCs and servers as they look for any machine
that can let them bypass the armor of their targets. “Our visibility is too
partial. We don’t look at networking devices,” says Diaz. “It’s a convenient
place to slide under the radar.”
1Updated 10/9/2017 with a comment
from Jake Williams.
Greenberg is a senior writer for WIRED, covering security, privacy, information
freedom, and hacker culture.