Slingshot Malware ‘Was US Special Operations Spy Tool’

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Malware discovered by Kaspersky Lab was developed by an elite group within the US military to spy on militants, officials say

A highly advanced malware strain uncovered by Kaspersky Lab earlier this month was in fact developed by an elite US military unit, which was using it to track down militants associated with Islamic State and al-Qaeda.

The malware’s link to the US military, reported by a cybersecurity news website, means Kaspersky’s report is likely to win it few friends in Washington at a time when the Moscow-based company is already under fire by US officials.

Earlier this month, Kaspersky published its findings on the ‘Slingshot’ malware, whose development it said was probably backed by an English-speaking country.

Comparing the code to malware allegedly used by the NSA, Kaspersky said it appeared to have been in use undetected for at least six years.

White House

Special operations

The malware’s targets were in countries including Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania, Kaspersky said.

It found Slingshot used a “unique” attack vector that involved involved malicious drivers placed on routers made by MikroTik, but said it didn’t know how the malware initially came to be on those routers.

Now US intelligence officials have confirmed that the malware was developed by the US military’s Joint Special Operations Command (JSOC), part of Special Operations Command (SOCOM), according to a report by news site CyberScoop.

JSOC and SOCOM were established in the 1980s to coordinate elite missions, including the strike that killed Osama bin Laden. It isn’t primarily focused on intelligence-gathering, and Slingshot is the first known case of SOCOM leading a cyber-espionage operation.

The malware was used to support JSOC’s missions against militants connected with extremist groups in the Middle East, CyberScoop said, citing unnamed current and former US intelligence officials.

‘Kill it all with fire’

The code was placed on computers commonly used by militants, such as machines in internet cafes, in order to monitor their communications.

The officials said Kaspersky’s disclosure has probably led JSOC to destroy the digital infrastructure it had been using to manage the programme.

Standard procedure is to “kill it all with fire once you get caught”, said a former official.

“It happens sometimes and we’re accustomed to dealing with it,” the person said. “But it still sucks … I can tell you this didn’t help anyone.”

The US government has targeted the use of Kaspersky’s products in the US in recent months, with FBI officials allegedly urging companies there to stop using the software due to national security concerns.

In October of last year anonymous sources told reporters that Russian hackers had used Kaspersky Lab software to hack the system of an NSA employee and steal sensitive information.

Kaspersky has called such claims part of a smear campaign.

This week the company confirmed it’s planning to open a data centre in Europe this year to address “transparency” issues.

Reports citing internal Kaspersky documents claimed the ‘transparency centre’ would be located in Switzerland.

Do you know all about security? Try our quiz!