Hacking Campaign named ‘Slingshot’ infects entire networks through MikroTik routers

The world is ablaze with concern, after researchers at multinational cybersecurity and anti-virus provider, Kaspersky, revealed the ‘Slingshot’ spy operation that is a state-based cyber espionage campaign having victimized at least 100 computers and networks since 2012.

The newly discovered group’s hacking process is nicknamed ‘Slingshot’ due to a word found in the attack code and it turns out that this might just be the most sophisticated in a series of similar cyber-attacks through the course of the last decade. What’s worth mentioning, is that the complexity of the entire scheme required loads of money and time, and the plan had great innovation in it, with no margin of error whatsoever.

The channels that were used to deliver the attack, were primarily MikroTik routers that can be accessed from Winbox Loader. The latter is an application developed by the company itself, to allow Windows users to set up their routers conveniently and with ease. The basic idea that makes the said app so easy to use – and hack, as it turns out – is that it downloads all the necessary DLLs (dynamic link libraries) on its own. What the ‘Slingshot’ spy was able to do, is replace those libraries with malicious ones that infected the user; no symptoms being noticeable along the process of course.

The end goal for the attackers is to gather all sorts of personal information and in all types of files. From screenshots to texts, everything from messages, passwords and multimedia files can be stolen or intercepted by ‘Slingshot’.

Here’s where it gets interesting though. There are two things that make this operation stand out. First and foremost, infecting a router is admittedly a relatively rare attack vector but an effective one at the same time. That’s on the grounds that once you infect a router, any device that connects to that source can ‘catch’ the disease.

Secondly, Kaspersky reports that half of the infected devices were found in Kenya, while the rest were located scattered throughout Greece, Turkey, Tanzania, Yemen, Iran, Iraq, Libya, Jordan, Mauritius, United Arab Emirates, Tunisia and Somalia. And if you haven’t made the connection so far, those are all countries were Internet Cafes are still a thing. A quick search on the internet and it comes as no surprise that on top of all that, the vast majority of internet cafes in those cases is equipped with MikroTik routers, because they’re more affordable and easier to set up.

So let’s see what we’ve got so far. ‘Slingshot’ is a highly sophisticated cyber-attack method that requires time, effort and money to be pulled off successfully. Text clues strongly – but not with certainty – indicate that the people responsible are English speakers. At the same time, the geopolitical correlation of the countries that were impacted makes it clear that all the countries mentioned above have one thing in common. Active terrorism.

With that being said, experts at Kaspersky speculate that this could just as well be one of the Five Eyes countries trying to keep an eye on terrorism. Kind of a bold statement for sure, but a quite probable one at the same time.

Alexey Shulmin, lead malware analyst at Kaspersky Lab said in an interview: “We think the developers of the malware decided to infect the victims from routers because they wanted to stay undetected. A compromised router can be very hard to detect … During the past years, we have seen several high-profile cases where router malware was involved”.

This attack has definitely taken political and national dimensions. Kaspersky, who is the lead research center working on that case seems to be struggling to point fingers with absolute certainty. Still, whatever the case may be, we know one thing for sure; the names Gollum and Smeagol were found in malware modules so the hackers must be Lord of the Rings fans. And that might be the only thing we can’t blame them for!


Published : Mar 14 2018
articles you may like