More than a hundred targets in eleven countries spread across Africa and the Middle East have been compromised in a six-year hacking campaign known as ‘Slingshot’ and discovered by researchers at Kaspersky.
Slingshot, according to the researchers, attacks and infects victims through compromised routers and can run in kernel mode giving it complete control over victims’ devices. The malware was believed to have been introduced from at least 2012 and was only discovered in February 2018.
In a 25-page report published on Friday, 9 March, 2018, the researchers noted that the discovery of Slingshot uncovers “another complex ecosystem where multiple components work together in order to provide a very flexible and well-oiled cyber-espionage platform. The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor.”
Although the Kaspersky’s researchers do not have an answer on how the spyware initially infected the majority of the targets located in countries such as Kenya, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Somalia and Tanzania, however in some cases the malicious code had been installed via small-business-grade routers sold by a Latvian firm called MikroTik, which the hackers had compromised.
Part of the technique involves using a MitroTik configuration utility known as Winbox to download dynamic link library files from the router’s file system. One of the files, ipv4.dll, is a malicious download agent created by the Slingshot developers. Winbox transfers ipv4.dll to the target’s computer which loads it into memory, and executes it.
The hackers seem to have exploited routers position as a little-scrutinised foothold that can spread infections to sensitive computers within a network, allowing deeper access to spies.
Vicente Diaz, one of the Kaspersky researchers explained, “It is quite an overlooked place. If someone is performing a security check of an important person, the router is probably the last thing they will check. It is quite easy for an attacker to infect hundreds of these routers, and then you have an infection inside their internal network without much suspicion.”
Internet cafes fall among the major targets of Slingshot, according to research director of Kaspersky, Costin Raiu. MikroTik routers are particularly popular in the developing world, where internet cafes remain common. The targeted routers were designed for networks of dozens of machines.
A statement released to BusinessDay by Kaspersky disclosed that individuals rather than organisations appear to be the most victims. However, there are some government organisations and institutions that are also targeted. Kenya and Yemen accounts for most of the victims observed so far.
To avoid being a victim, Kaspersky recommends that users of MikroTik routers should upgrade to the latest software version as soon as possible to ensure protection against known vulnerabilities. Also, individuals and businesses can use a proven corporate grade security solution in combination with anti-targeted attack and threat intelligence. Thirdly, companies need to provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention.
