A nation-state developed a piece of malware so powerful that it can steal everything that’s happening on a computer without even being install on the target device itself. Instead, it resides on a router. It’s called Slingshot and it was recently discovered by Kaspersky Labs. Incredibly, the malware is so powerful and sophisticated that it hid in routers for six years before finally being spotted.
That’s likely why a nation-state is behind the attack. And while the infected routers that have been identified will be fixed via software updates, there’s no telling how many machines may have been affected.
According to Ars Technica, the sophistication of Slingshot rivals similarly advanced malware apps, including Regin, a backdoor that infected Belgian telco Belgacom and other targets for years, and Project Sauron, a separate malware that also remained hidden for years.
The researchers don’t know precisely how Slingshot infected all of its targets, but in some cases the malicious app was planted inside MikroTik routers that Slingshot operators got access to.
“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the researchers noted in their report.
After a router is infected, the malware would load a couple of “huge and powerful” modules on the target’s computer. That includes a kernel-mode module called Cahnadr, and a user-mode module called GollumApp. The two are then able to support each other to gather data, and then send it out to the attacker. The malware was probably used for spying purposes, as it was able to log desktop activity and clipboard data, as well as collect screenshots, keyboard data, network data, passwords, and data from USB devices.
The infected computers were located primarily in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania. Targets included individuals as well as government organizations and institutions. Kaspersky did not identify the malware’s creators but said that debug messages were written in perfect English, suggesting developers spoke that language.
One incredibly sophisticated thing the malware did to conceal its existence was to use an encrypted virtual file system located in an unused part of the hard drive. The malware also encrypted all text strings in various modules directly to bypass security products. It even shut down certain components when forensic tools were in use on the device.
“Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation,” company researchers wrote. “Its infection vector is remarkable—and, to the best of our knowledge, unique.”
“It failed to satisfy even the minimum standards of due process.”
The US government last month banned all Kaspersky products from being used on government-issued machines, after discovering that hackers may have used the popular anti-virus product to scan for top-secret documents on targeted computers.
Kaspersky has denied that its programs had such features, or that it assisted in any way the Russian governments or hackers with spying operations directed at the US government.
The company announced a variety of means meant to prove to the world that its products can’t be used to spy on targets.
The company said that it will ask independent parties to review the security of its antivirus software, Reuters explains.
The company said it’ll have outside parties review its software development, with reviews set to begin by the first quarter of 2018. The company did not say who these reviewers will be, but that they will have strong software security credentials, and they’ll be able to audit the software and source code and hunt for vulnerabilities.
“We’ve nothing to hide,” Chairman and CEO Eugene Kaspersky said. “With these actions, we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”
Finally, the company will expand its vulnerability bounty program, with rewards going up to $100,000, a significant increase over the previous maximum award of $5,000.
It’ll be a while until Kaspersky can clear its name if it’ll ever be able to do it. In the meantime, you might be better off using a different antivirus program.
Reports a few days ago said that Russia used Kaspersky antivirus software to spy on various targets including US government officials and spies. The reports went on to say that the Russian antivirus tool was used to extract sensitive top-secret information from an NSA contractor who worked on sensitive materials using his home computer that had Kaspersky installed.
Now, a new damning report says that the functionality discovered in the software could not have been put there without the company’s knowledge.
Current and former US officials with knowledge of the matter told The Wall Street Journal that the Kaspersky antivirus was used to perform secret searches for specific terms including “top secret,” in addition to its usual antivirus scanning operations.
“Top secret” may be written on classified government documents, and that’s how the antivirus software might have detected sensitive material. That’s how Russian hackers used the software to steal NSA information, the report notes.
These modifications of the Kaspersky app apparently only could have been made with the company’s knowledge. “There is no way, based on what the software was doing, that Kaspersky couldn’t have known about this,” an official said.
Meanwhile, Kaspersky Lab insists that it doesn’t help the Russian government to spy on other countries. “Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems,” told The Journal in a statement.
The company was founded by an engineer trained at a KGB technical school.
Israel is believed to have first alerted the US that Kaspersky was spying on computers and looking for American intelligence information. The country may have targeted Kaspersky Lab with malware of its own in 2014. In turn, the Russian company disclosed the massive security breach, without explicitly naming Israel as the perpetrator.
Since then, US intelligence agencies have been able to confirm that the antivirus software can be used to search computers for classified materials.
Last month, the Department of Homeland Security banned all federal agencies from using any Kaspersky products, a direct result of the investigation. It’s safe to say that you should consider uninstalling Kaspersky from your computers as well for the time being. Alternatively, you may also want to go ahead and install it on a computer you don’t use, and fill it up with “top secret” documents. That might keep some Kaspersky analysts busy for at least a few minutes.
Hackers working for the Russian government stole NSA plans and documents on cyber defense off a contractor’s personal computer, according to a report from the Wall Street Journal.
The article quotes sources familiar with the matter, who say that a contractor removed “highly classified material” from the NSA’s network and put it on his home computer. Hackers working for the Russian government were then able to ID the files, thanks to the contractor’s use of Russian-made antivirus software from Kaspersky Labs.
The incident occurred in 2015, according to the WSJ, but was not discovered until last year. The document stolen included details of “how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S.”
Those stolen secrets are bad enough, but the attack would also appear to show that Russian hackers have been using commercial software to conduct wide-reaching surveillance in order to ID hacking targets. Kaspersky, a Russian company, is one of the largest vendors of consumer antivirus software in the world, with over 400 million users.
In a statement, Kaspersky Lab told the WSJ it “has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.”
The WSJ report doesn’t explain how the attack was attributed to the Russian government, nor how Kaspersky was linked to the hack. Attributing blame for hacking operations is difficult at best, and the lack of public scrutiny of this hack (compared to public attacks like WannaCry) means that attribution to the Russian government is far from certain.