26.03.2018 Author: Vladimir Platov

Why a Russia-based Security Firm Fell Victim of US Sanctions


Last December, Donald Trump signed a decree banning the use of Kaspersky Lab software within US government agencies. This latest iteration of anti-Russian sanctions demanded all individuals employed by Washington to wipe the world-renowned anti-virus s software off their computers within the next 90 days since the moment of signing.

However, as latest IT news show, Kaspersky Lab that received recognition for its achievements in the fight against all sorts of malware was not thrown out of the door for some sort of misbehavior or dubious activities, but as a part of ongoing Russophobic propaganda efforts we’ve been witnessing lately in the West. It’s also clear that Washington couldn’t care less about the efforts that Kaspersky Lab was taking in countering high-profile cyber-espionage and government-sponsored malicious activities in the Internet that American intelligence agencies have been engaged in a long while.

Such conclusions can be made based on the conclusions of the recently held Kaspersky Security Analyst Summit (SAS), where Kaspersky Lab experts blew the lid off about the sophisticated spy-ware program known as Slingshot. It turned out that this malware has been operational since 2012, but it took IT security firms years to spot it. And it was the Russian-based company Kaspersky Lab that exposed this spy-ware of designed by US intelligence agencies to establish total surveillance over the Internet, as it’s been noted by the The Times.

According to this British publication, Kaspersky Lab, which was deprived of the right to sell its products in American markets, uncovered this malicious software, which allows US agencies to access routers to monitor user activity across the web.

Originally, Slingshot was created by the US military to track radical Islamists who would use Internet cafes across the Middle East and North Africa to coordinate their activities. This malware was deployed in Afghanistan, Iraq, Kenya, Sudan, Somalia, Turkey and Yemen and, according to some experts, and over just six years of Slingshot getting operational a great many of both individuals and government agencies suffered across the Middle East and Africa.

This Slingshot spy-ware is similar to the program created by the NSA for establishing total surveillance in the Western segment of the Internet. Experts from CyberScoop, while citing anonymous US intelligence agents (both retired and acting), report that Slingshot is a special operation launched by the Joint Special Operations Command (JSOC), is a component of the United States Special Operations Command (USSOCOM). Researchers also agree that the algorithms used by Slingshot are similar to those used by such hacker groups as Longhorn and The Lamberts affiliated with the CIA and the NSA, developed with the tools of the two above mentioned groups that were disclosed by WikiLeaks.

CyberScoop experts and their sources believe that Kaspersky Lab couldn’t know for sure, but was suspecting that one of the countries of the Five Eyes intelligence alliance, comprising Australia, Canada, New Zealand, the United Kingdom and the United States was behind developing Slingshot.

According to cyber security experts, Slingshot is an extremely complex platform for attacks that one couldn’t develop without investing huge amount of efforts, time and money. According to those same analysts, the complexity of Slingshot makes even Project Sauron and Regin pale in comparison, which means that government-sponsored hackers could only develop something like this.

According to the statement released by Kaspersky Lab:

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

What is clear that this malware is aimed at hijacking all sorts of sensible information information, including network traffic, screenshots and passwords, while monitoring its own invisibility. Re-flashing firmware doesn’t help the user to get rid of this malware, since Slingshot is capable of self-copying and employing all sorts of tricks to stay operational that haven’t been fully explored. To divert the attention of anti-virus software, Slingshot independently initiates security checks, which has been allowing it to mask its presence from 2012 on.

In recent years, Slingshot has been actively used by US intelligence agencies to establish total control over the Internet by spying after US citizens and abroad, including among Washington’s “allies.”

And given that it was Kaspersky Lab that was able to track the elaborated spy-ware that took Washington a long time to develop, it’s no wonder that Trump decided to put an end to the operations of of this Russian-based company in the United States, trying to carry on its lies about “Russian hackers” that nobody has ever seen or tracked, while carrying America’s criminal cyber espionage activities at the highest level.

Vladimir Platov, an expert on the Middle East, exclusively for the online magazine New Eastern Outlook”.

Please select digest to download: