A recently published Kaspersky Lab report that exposed a sophisticated, six-year cyber espionage campaign targeting the Middle East and Africa disrupted an active counterterrorism operation, according to a news article this week by CyberScoop, citing current and former U.S. intelligence officials.
The APT campaign, called Slingshot, leveraged compromised routers and probably Windows exploits to infect targets with advanced spyware that provided kernel-level access to screenshots, keyboard activity, network data, passwords, USB connections, desktop activity, clipboard savings, personal information and more. Although the Kaspersky report didn’t explicitly attribute the campaign to a particular actor, the company noted that clues in the actor’s code and technique pointed to the CIA, while the campaign itself bore some similarities to past NSA malware programs.
As it turns out, officials reportedly told CyberScoop the program was the work of the Joint Special Operations Command (JSOC), a component of the Department of Defense’s Special Operations Command (SOCOM), a unit not traditionally known for engaging in cyber activity.
Reportedly, JSOC’s Slingshot campaign was leveraging malware called GollumApp and Canhadr to exfiltrate information from computers that terrorists commonly use in internet cafes. A former intelligence official was quoted in the news report as saying the U.S. likely has already abandoned and burned the digital infrastructure behind campaign, following Kaspersky’s exposé.
Officially reportedly worry the U.S. may have lost a valuable surveillance program that helped protect its soldiers — a concern that could make the relationship between Kaspersky and the U.S. even frostier, after Congress and the Department of Homeland Security banned the federal use of Kaspersky products due to fears they were being used by Russia to spy on American assets.