The Slingshot cyber espionage campaign exposed recently by Kaspersky Lab is a U.S. government operation targeting members of terrorist organizations, according to a media report. Earlier this month, Kaspersky published a report detailing the activities of a threat actor targeting entities in the Middle East and Africa -- sometimes by hacking into their Mikrotik routers. The group is believed to have been active since at least 2012 and its members appear to speak English, the security firm said.
The main piece of malware used by the group has been dubbed Slingshot based on internal strings found by researchers. Kaspersky identified roughly 100 individuals and organizations targeted with the Slingshot malware, mainly in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. CyberScoop claims to have learned from unnamed current and former U.S. intelligence officials that Slingshot is actually an operation of the U.S. military's Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM), aimed at members of terrorist organizations such as ISIS and al-Qaeda.
SOCOM is well known for its counterterrorism operations, which can sometimes include a cyber component. CyberScoop's sources expressed concern that the exposure of the campaign may result in the U.S. losing a valuable surveillance program and it could even put the lives of soldiers at risk. The Slingshot infrastructure was likely already abandoned and "burned" following the disclosure, one former intelligence official told the publication.
Kaspersky has always insisted that its role is to protect customers against cyber threats, regardless of the source of an attack. The company typically refrains from attributing attacks, but it has exposed operations believed to be linked to Russia, China, the United States and others. In the case of Slingshot, Kaspersky has not directly attributed the campaign to the United States, but it did note that the hackers appear to speak English.
The company also pointed out that some of the techniques used by this actor are similar to ones leveraged by a group known as Longhorn and The Lamberts, which is believed to be associated with the U.S. Central Intelligence Agency (CIA). It's also worth noting that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, describe a Mikrotik router exploit, although it is unclear if it's the one used in Slingshot attacks.
Another clue that shows a potential connection between Slingshot and U.S. intelligence is the use of tools and code strings referencing "Lord of the Rings" characters, including Gollum, which is also the name of an implant referenced in NSA documents leaked by Edward Snowden. Kaspersky's products were recently banned in U.S. federal agencies due to the company's alleged ties to Russian intelligence. The security firm has denied the accusations and it has taken legal action in hopes of overturning the ban.
If Slingshot really is a U.S. government operation, Kaspersky's disclosure of the campaign will likely not help its case. One senior U.S. intelligence official told CyberScoop it was unlikely that Kaspersky had been totally unaware of what it was dealing with. CyberScoop cited a source close to Kaspersky saying that researchers may have suspected a Five Eyes nation, but they couldn't have known for sure.
One of the incidents that led officials to believe Kaspersky may be linked to the Kremlin involved an NSA contractor from which Russian hackers allegedly stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. Kaspersky's analysis showed that its antivirus product did automatically upload some files related to the NSA-linked Equation Group from a user's computer, but the company said the files were deleted from its systems after it noticed that they contained classified information. Related: Attribution Hell - Cyberspies Hacking Other Cyberspies
Washington - US efforts to conduct offensive and defensive operations in cyberspace are falling short, a top general warned Tuesday amid ongoing revelations about Russian hacking. General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain, also noting that the military still lacks clear rules of cyber engagement. "We have to go much further in treating cyberspace as an operational domain," Hyten told the Senate Armed Services Committee.
"Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace we need to have the authorities to respond." Hyten noted, however, that the US had made some progress in conducting cyber attacks on enemies in the Middle East, such as the Islamic State group. His testimony comes weeks after General Curtis Scaparrotti, commander of NATO forces in Europe, warned that US government agencies are not coordinating efforts to counter the cyber threat from Russia, even as Moscow conducts a "campaign of destabilization."
And last month, Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, said President Donald Trump had not yet ordered his spy chiefs to retaliate against Russian interference in US elections. The US has accused Russia of actively interfering in the 2016 presidential election, stealing Democratic party communications and pushing out disinformation through social media. It also accuses Moscow of stealing hacking secrets of the US intelligence community -- while US cyber security investigators have accused the Russian government of a sustained effort to take control of critical US infrastructure systems including the energy grid.
Hyten added the military needs clear authorities and rules of engagement so operators know when and how to respond to attacks.
"We need to have specific rules of engagement in cyber that match the other domains that we operate in," Hyten said.
"We need to delegate that authority all the way down so we can deal with threats that exist that challenge the United States."
A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday. The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear.
A warning issued last year by the UK's National Cyber Security Centre (NCSC) revealed that hackers had targeted the country's energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims' passwords. An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison.
When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States. When a malicious document is opened using Microsoft Word, it loads a template file from the attacker's SMB server.
When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user's domain credentials, basically handing them over to the attackers. In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources. According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom.
One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy conglomerate in Vietnam. Specifically, the IP corresponded to a core Cisco router that had reached end-of-life. "The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare," Cylance researchers explained. "That's because the compromise of a router very likely implicates the router's firmware and there simply aren't as many tools available to the forensic investigator to investigate them.
Analysis is further challenged by the lack of system logs." "The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated," they added. Dragonfly is not the only cyberespionage group to abuse routers in its attacks.
A threat actor named Slingshot, whose members appear to speak English, has targeted entities in the Middle East and Africa using hacked Mikrotik routers.