26.03.2018 Author: Vladimir Platov

Why a Russia-based Security Firm Fell Victim of US Sanctions

SEC88843513

Last December, US President Donald Trump signed a decree banning the use of Kaspersky Lab software within US government agencies. This latest iteration of anti-Russian sanctions demanded all individuals employed by Washington to wipe the world-renowned anti-virus software off their computers within 90 days of the decree’s signing.

However, as the latest IT news show, Kaspersky Lab which received recognition for its achievements in the fight against all sorts of malware was not thrown out the door for genuine security concerns, but as a part of ongoing anti-Russia propaganda efforts we’ve been witnessing lately across the West. It’s also clear that Washington couldn’t care less about the efforts that Kaspersky Lab has been taking in countering high-profile cyber-espionage and government-sponsored malicious activities on the Internet that American intelligence agencies have been exposed as engaged in.

Such conclusions can be made based on outcomes during the recently held Kaspersky Security Analyst Summit (SAS), where Kaspersky Lab experts blew the lid off about the sophisticated spy-ware program known as Slingshot. It turned out that this malware has been operational since 2012, but it took IT security firms years to spot it. And it was the Russian-based company Kaspersky Lab that exposed this spy-ware of US intelligence agency-design to establish total surveillance over the Internet, as it’s been noted by the The Times.

According to this British publication, Kaspersky Lab, now barred from US markets, uncovered this malicious software, which allows US agencies to access routers to monitor user activity across the web.

Originally, Slingshot was created by the US military to track suspected terrorists who would use Internet cafes across the Middle East and North Africa to coordinate their activities. This malware was deployed in Afghanistan, Iraq, Kenya, Sudan, Somalia, Turkey and Yemen and, according to some experts, and over just six years of Slingshot becoming operational, a great many of both individuals and government agencies suffered across the Middle East and Africa.

This Slingshot spy-ware is similar to the program created by the NSA for establishing total surveillance in the Western segment of the Internet. Experts from CyberScoop, while citing anonymous US intelligence agents (both retired and acting), report that Slingshot is a special operation launched by the Joint Special Operations Command (JSOC), a component of the United States Special Operations Command (USSOCOM). Researchers also agree that the algorithms used by Slingshot are similar to those used by such hacker groups as Longhorn and The Lamberts affiliated with the CIA and the NSA, developed with the tools of the two above mentioned groups that were disclosed by WikiLeaks.

CyberScoop experts and their sources believe that Kaspersky Lab couldn’t know for sure, but suspected that one of the countries of the Five Eyes intelligence alliance, which includes Australia, Canada, New Zealand, the United Kingdom and the United States, was behind developing Slingshot.

According to cyber security experts, Slingshot is an extremely complex platform for attacks that one couldn’t develop without investing huge amounts of effort, time and money. According to those same analysts, the complexity of Slingshot makes even Project Sauron and Regin pale in comparison, which means that government-sponsored hackers could only develop something like this.

According to the statement released by Kaspersky Lab:

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

What is clear is that this malware is aimed at hijacking all sorts of sensitive information, including network traffic, screenshots and passwords, while monitoring its own invisibility. Re-flashing firmware doesn’t help the user get rid of this malware, since Slingshot is capable of self-copying and employing all sorts of tricks to stay operational, some of which haven’t been fully exposed. To divert the attention of anti-virus software, Slingshot independently initiates security checks, which allowsed it to mask its presence from 2012 onward.

In recent years, Slingshot has been actively used by US intelligence agencies to establish total control over the Internet by spying upon US citizens and abroad, including among Washington’s “allies.”

And given that it was Kaspersky Lab that was able to track spy-ware Washington invested so many resources to develop, it’s no wonder that Trump decided to put an end to the operations of this Russian-based company in the United States, trying to carry on its lies about “Russian hackers” that nobody has ever seen or tracked, while continuing with America’s criminal cyber espionage activities at the highest level.

Vladimir Platov, an expert on the Middle East, exclusively for the online magazine New Eastern Outlook”. 


×
Please select digest to download:
×