Politics Foreign Affairs Culture Fellows Program

Was Destructive ‘Slingshot’ Malware Deployed by the Pentagon?

Cybersleuths think they've uncovered a military spyware attack, with troubling implications.

Earlier this March, cyber-security firm Kaspersky Labs released information on a newly discovered, highly advanced piece of malware dubbed Slingshot. The malware targeted Latvian-made Internet routers popular in the Middle East, Africa, and Southeast Asia.

Kaspersky’s reports reveal that the malware had been active since at least 2012, and speculates that it was government-made, owing to its sophistication and its use of novel techniques rarely seen elsewhere.

Those investigating the matter further have drawn the conclusion that Slingshot was developed by the U.S. government, with some reports quoting former officials as connecting it to the Pentagon’s JSOC special forces. For those following the cyber security and malware sphere, this is a huge revelation, putting the U.S. government in the hot seat for deploying cyber attacks that harm a much greater range of innocent users beyond their intended targets.

Kaspersky’s own findings note that the code was written in English, using a driver flaw to allow the implanting of various types of spyware. Among those mentioned by Moscow-based Kaspersky was an implant named “GOLLUM,” which notably was mentioned in one of the leaked Edward Snowden documents.

Further findings suggest that Slingshot had common code with only two other known pieces of software, both malwares, which were attributed to the NSA and CIA, respectively, by analysts. Though various U.S. agencies are all denying comment, things are clearly pointing uncomfortably in their direction.

Cyberscoop, one of the first news outlets to break the story, reported a mixed reaction among officials. Some noted that Kaspersky Labs was simply doing what a security company is supposed to do. Others, however, were less agreeable, suggesting it was an intentional attempt by Kaspersky to undermine U.S. security.

The argument, as far as it goes, is that given the ostensible target areas—the Middle East, North Africa, Afghanistan—Kaspersky should have concluded it was related to the War on Terror and sat on their findings. The Trump administration already views Kaspersky as a sort of hostile actor—banning the use of Kaspersky products by any government or civilian federal contractor in December, citing Kremlin influence (a charge that has been vehemently denied by the company). This just gives them more justification for seeing Kaspersky as an adversary in the space.

Unfortunately for the Russian company, some American retailers have even followed suit, pulling the software from the shelves on the grounds that it’s Russian, and that therefore suspect.

There has been no clear evidence that Kaspersky’s software was serving as a backdoor for Russian intelligence, though it was reported last fall that sensitive documents were stolen from a National Security Agency (NSA) contractor’s laptop via its Kaspersky-made antivirus software. In a statement at the time, the company said, “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts.” Turns out that Israeli spies, spying on the Russian spies, disclosed the intrusion to U.S. officials.

Kaspersky has consistently ranked near the top of antivirus ratings from virtually all third-party reviewers. The company has sold its products to nearly 400 million users worldwide, with 60 percent in the U.S. and Western Europe. Until now, Kaspersky was being used by several major agencies in the federal government, including the State Department and Department of Defense.

Ironically, this new Slingshot issue itself appears just to be a testament to how well the company’s security works at digging up extremely dangerous malware. It also underscores the uneasy reality that the U.S. has been engaging in its own brand of cyber warfare all along.

Any claims that a specific piece of U.S. malware—in this case, Slingshot—was targeting only al-Qaeda or ISIS bad guys is disingenuous as well. The exploit on routers is hitting an entire region, infecting an untold number of innocent people. Internet cafés are said to have been hit in this, meaning everyone going into the cafes is at risk.

Malware is not a precision munition, it hits wide targets and spreads out to bystanders. This is particularly disturbing to note if, as some reports are indicating, this malware was Pentagon in origin.

U.S. civilian government surveillance is already doing great harm to general Internet security, and does so by remaining in denial about the balance of good to harm that is being done. The U.S. military, by contrast, has shown its willingness to inflict major harm on innocents in pursuit of any war goal. As they start hitting regions with malware, all bets are off on how far it will spread.

Security companies like Kaspersky Labs only afford the private user limited protection from all of this malware, because they’re constantly playing catch-up, finding new variants and new exploits that the various pieces of software are using. Slingshot, for instance, went undetected for six solid years.

The discovery means fixes can finally be implemented for the routers and the computers. Novel exploits like this are rarely a one-time fix, however, as a slew of similar exploits from other sources tend to crop up after one gets taken out. It’s a never-ending battle.

In August, President Trump made U.S. Cyber Command a formal military command, reflecting the growing view of the Internet as a military objective. Much as America’s other battlefields result in collateral damage on the ground, the cyberwar is going to have a deleterious impact on day-to-day life in cyberspace. The big questions are how bad things will get, and how quickly.

Jason Ditz is news editor at Antiwar.com, a nonprofit organization dedicated to the cause of non-interventionism. In addition to TAC, his work has appeared in Forbes, Toronto Star, Minneapolis Star-Tribune, Providence Journal, Daily Caller, Washington Times and Detroit Free Press.