Routers, both the big corporate kind and the small one gathering dust in the corner of your home, have long made an attractive target for hackers. They’re always on and connected, often full of unpatched security vulnerabilities, and offer a convenient chokepoint for eavesdropping on all the data you pipe out to the internet. Now security researchers have found a broad, apparently state-sponsored hacking operation that goes a step further, using hacked routers as a foothold to drop highly sophisticated spyware even deeper inside a network, onto the computers that connect to those compromised internet access points.
Researchers at security firm Kaspersky on Friday revealed a long-running hacking campaign, which they call “Slingshot,” that they believe planted spyware on more than a hundred targets in 11 countries, mostly in Kenya and Yemen. The hackers gained access to the deepest level of victim computers’ operating system, known as the kernel, taking full control of target machines. And while Kaspersky’s researchers haven’t yet determined how the spyware initially infected the majority of those targets, in some cases the malicious code had been installed via small-business-grade routers sold by the Latvian firm MikroTik, which the Slingshot hackers had compromised.
Unlike previous router-hacking campaigns that have used routers themselves as eavesdropping points—or the far more common home router hacks that use them as fodder for distributed-denial-of-service attacks aimed at taking down websites—the Slingshot hackers appear to have instead exploited routers’ position as a little-scrutinized foothold that can spread infections to sensitive computers within a network, allowing deeper access to spies. Infecting a router at a business or coffee shop, for instance, would then potentially give access to a broad range of users.
“It’s quite an overlooked place,” says Kaspersky researcher Vicente Diaz. “If someone is performing a security check of an important person, the router is probably the last thing they’ll check… It’s quite easy for an attacker to infect hundreds of these routers, and then you have an infection inside their internal network without much suspicion.”
Infiltrating Internet Cafes?
Kaspersky research director Costin Raiu offered one theory as to Slingshot’s targets: Internet cafes. MikroTik routers are particularly popular in the developing world, where internet cafes remain common. And while Kaspersky detected the campaign’s spyware on machines using consumer-grade Kaspersky software, the routers it targeted were designed for networks of dozens of machines. “They’re using home user licenses, but who has 30 computers at home?” Raiu says. “Maybe not all are internet cafes, but some are.”
The Slingshot campaign, which Kaspersky believes persisted undetected for the last six years, exploits MikroTik’s “Winbox” software, which is designed to run on the user’s computer to allow them to connect to and configure the router, and in the process downloads a collection of dynamic link library, or .dll, files from the router to the user’s machine. When infected with Slingshot’s malware, a router includes a rogue .dll in that download that transfers to the victim’s machine when they connect to the network device.
‘It’s quite easy for an attacker to infect hundreds of these routers.’
Vicente Diaz, Kaspersky
That .dll serves as the foothold on the target computer, and then itself downloads a collection of spyware modules onto the target PC. Several of those modules function, like most programs, in normal “user” mode. But another, known as Cahnadr, runs with deeper kernel access. Kaspersky describes that kernel spyware as the “main orchestrator” of Slingshot’s multiple PC infections. Together, the spyware modules have the ability to collect screenshots, read information from open windows, read the contents of the computer’s hard drive and any peripherals, monitor the local network, and log keystrokes and passwords.
Kaspersky’s Raiu speculates that perhaps Slingshot would use the router attack to infect an internet cafe administrator’s machine and then use that access to spread to the PCs it offered to customers. “It’s quite elegant, I think,” he added.
An Unknown Infection Point
Slingshot still presents plenty of unanswered questions. Kaspersky doesn’t actually know if routers served as the initial point of infection for many of the Slingshot attacks. It also concedes that it’s not exactly sure how the initial infection of the MikroTik routers took place in the cases where they were used, though it points to one MikroTik router hacking technique mentioned last March in WikiLeaks’ Vault7 collection of CIA hacking tools known as ChimayRed.
MikroTik responded to that leak in a statement at the time by pointing out that the technique didn’t work in more recent versions of its software. When WIRED asked MikroTik about Kaspersky’s research, the company pointed out that the ChimayRed attack also required the router’s firewall to be disabled, which would otherwise be on by default. “This did not affect many devices,” a MikroTik spokesperson wrote in an email to WIRED. “Only in rare cases would somebody misconfigure their device.”
Kaspersky, for its part, emphasized in its blog post on Slingshot that it hasn’t confirmed whether it was the ChimayRed exploit or some other vulnerability that hackers used to target MikroTik’s routers. But they do note that the latest version of MikroTik routers don’t install any software on the user’s PC, removing Slingshot’s path to infect its target computers.
As murky as Slingshot’s penetration technique may be, the geopolitics behind it may be even thornier. Kaspersky says it’s not able to determine who ran the cyberespionage campaign. But they note that its sophistication suggests that it’s the work of a government, and that textual clues in the malware’s code suggest English-speaking developers. Aside from Yemen and Kenya, Kaspersky also found targets in Iraq, Afghanistan, Somalia, Libya, Congo, Turkey, Jordan and Tanzania.
All of that—particularly just how many of those countries have seen active US military operations—suggests that Kaspersky, a Russian firm often accused of ties to Kremlin intelligence agencies whose software is now banned from US government networks, might be outing a secret hacking campaign carried out by the US government, or one of its “Five-Eyes” allies of English-speaking intelligence partners. But Slingshot could also be the work of French, Israeli, or even Russian intelligence services seeking to keep tabs on terrorism hotspots.
Kaspersky, for its part, insists that it doesn’t know who’s responsible for the Slingshot campaign, and seeks to protect its customers. “Our golden rule is we detect malware and it doesn’t matter where it comes from,” says Kaspersky researcher Alexei Shulmin.
Regardless of who’s behind the attack, the hackers may have already been forced to develop new intrusion techniques, now that MikroTik has removed the feature they had exploited. But Kaspersky warns that the spyware campaign nonetheless serves as a warning that sophisticated state-sponsored hackers aren’t just aiming at traditional infection points like PCs and servers as they look for any machine that can let them bypass the armor of their targets. “Our visibility is too partial. We don’t look at networking devices,” says Diaz. “It’s a convenient place to slide under the radar.”