Security Experts:

'Slingshot' Campaign Outed by Kaspersky is U.S. Operation Targeting Terrorists: Report

The Slingshot cyber espionage campaign exposed recently by Kaspersky Lab is a U.S. government operation targeting members of terrorist organizations, according to a media report.

Earlier this month, Kaspersky published a report detailing the activities of a threat actor targeting entities in the Middle East and Africa — sometimes by hacking into their Mikrotik routers. The group is believed to have been active since at least 2012 and its members appear to speak English, the security firm said.

The main piece of malware used by the group has been dubbed Slingshot based on internal strings found by researchers. Kaspersky identified roughly 100 individuals and organizations targeted with the Slingshot malware, mainly in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

CyberScoop claims to have learned from unnamed current and former U.S. intelligence officials that Slingshot is actually an operation of the U.S. military’s Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM), aimed at members of terrorist organizations such as ISIS and al-Qaeda. SOCOM is well known for its counterterrorism operations, which can sometimes include a cyber component.

CyberScoop’s sources expressed concern that the exposure of the campaign may result in the U.S. losing a valuable surveillance program and it could even put the lives of soldiers at risk. The Slingshot infrastructure was likely already abandoned and “burned” following the disclosure, one former intelligence official told the publication.

Kaspersky has always insisted that its role is to protect customers against cyber threats, regardless of the source of an attack. The company typically refrains from attributing attacks, but it has exposed operations believed to be linked to Russia, China, the United States and others.

In the case of Slingshot, Kaspersky has not directly attributed the campaign to the United States, but it did note that the hackers appear to speak English. The company also pointed out that some of the techniques used by this actor are similar to ones leveraged by a group known as Longhorn and The Lamberts, which is believed to be associated with the U.S. Central Intelligence Agency (CIA).

It’s also worth noting that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, describe a Mikrotik router exploit, although it is unclear if it’s the one used in Slingshot attacks.

Another clue that shows a potential connection between Slingshot and U.S. intelligence is the use of tools and code strings referencing “Lord of the Rings” characters, including Gollum, which is also the name of an implant referenced in NSA documents leaked by Edward Snowden.

Kaspersky’s products were recently banned in U.S. federal agencies due to the company’s alleged ties to Russian intelligence. The security firm has denied the accusations and it has taken legal action in hopes of overturning the ban.

If Slingshot really is a U.S. government operation, Kaspersky's disclosure of the campaign will likely not help its case. One senior U.S. intelligence official told CyberScoop it was unlikely that Kaspersky had been totally unaware of what it was dealing with. CyberScoop cited a source close to Kaspersky saying that researchers may have suspected a Five Eyes nation, but they couldn’t have known for sure.

“Kaspersky Lab does not know the identity of the attackers behind the Slingshot APT or the identity of its victims. As a result of anonymized data, it's impossible for us to tell who the specific targets are. All the company can state is that our users are protected against malicious software that can spy, steal or sabotage data from their computers,” Kaspersky Lab told SecurityWeek in an emailed statement.

“Kaspersky Lab has always been very clear about our policy concerning the detection of malware: we detect and remediate all forms of malicious programs, regardless of origin or purpose. Furthermore, the company does not 'whitelist' any malware samples, not even malware used for so called 'legal surveillance'. One can easily imagine the situation in which such malware falls into the wrong hands and can be used to launch attacks against law enforcement or just regular users,” the company added.

One of the incidents that led officials to believe Kaspersky may be linked to the Kremlin involved an NSA contractor from which Russian hackers allegedly stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. Kaspersky’s analysis showed that its antivirus product did automatically upload some files related to the NSA-linked Equation Group from a user’s computer, but the company said the files were deleted from its systems after it noticed that they contained classified information.

Related: Attribution Hell - Cyberspies Hacking Other Cyberspies

Related: The Increasing Effect of Geopolitics on Cybersecurity

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.