SOCOM has hackers?

Slingshot's ties to spies

Adding fuel to the fire

The U.S. government and Russian cybersecurity giant Kaspersky Lab are currently in the throes of a nasty legal fight that comes on top of a long-running feud over how the company has conducted itself with regard to U.S. intelligence-gathering operations.A recent Kaspersky discovery may keep the feud alive for years to come.On March 9, Kaspersky publicly announced a malware campaign dubbed " Slingshot ."Kaspersky did not attribute Slingshot to any single country or government in its public report, describing it only as an advanced persistent threat (APT).The complex campaign, which researchers say was active for at least six years,Slingshot helped the military and intelligence community collect information about terrorists by infecting computers they commonly used, sources told CyberScoop. Often times, these targeted computers would be located within internet cafés in developing countries.These officials, all of whom spoke on condition of anonymity to discuss a classified program, fear the exposure may cause the U.S. to lose access to a valuable, long-running surveillance program and put soldiers' lives at risk.The disclosure comes at a difficult time for Kaspersky. The company is currently fighting the U.S. government in court after the government claimed that the Moscow-based company's software poses a national security risk due to the company's Russian government ties. Kaspersky has consistently denied any wrongdoing.CyberScoop's reporting of JSOC's role in Slingshot provides the first known case of a SOCOM-led cyber-espionage operation.Over the last decade, SOCOM has been instrumental in the Global War on Terror, having conducted many sensitive missions, including the one that killed former al-Qaeda leader Osama bin Laden.A former intelligence official told CyberScoop that Kaspersky's findings had likely already caused the U.S. to abandon and "burn" some of the digital infrastructure that JSOC was using to manage the surveillance program." said the former intelligence official. "It happens sometimes and we're accustomed to dealing with it.While not an intelligence agency by nature, SOCOM has dabbled in cyber-operations - known inside the unit as " special reconnaissance " - for some time, according to multiple academics who have examined the use of offensive cyber tools within special operations units.As the Global War on Terror grew, most combatant commands took visible steps and received considerable funding to build out their own espionage capabilities."Many units within SOCOM possess independent cyber capabilities," a senior U.S. intelligence official told CyberScoop.Throughout the past decade, SOCOM has used cyber operations in a very ad hoc manner. If cyberwarfare was used in an operation,For instance, a group of hackers organized under the name "Computer Network Operations Squadron" (CNOS), were known to operate within JSOC command circa 2007.The squadron was first written about in "Relentless Strike: The Secret History of Joint Special Operations Command," a book by journalist Sean Naylor.Naylor wrote that CNOS staff could be stationed around the world, including at Fort Meade in Maryland and CIA's Langley, Virginia, headquarters. CNOS had close connections to CIA, blurring the already fuzzy line between U.S. intel and military organizations.In one case mentioned by Naylor's book, CNOS infected a terrorist's computer with "keystroke recognition [software], at other times it would covertly activate a webcam if the computer had one, allowing the task force to positively identify a target."SOCOM's exclusive structure provides an easy way to leverage long-standing intelligence programs, since it is permitted to quickly organize and deploy forces globally wherever defined rules of engagement exist.JSOC and CIA have a history of working together and when combined, meet a similar profile to how Slingshot would be utilized.a passage in Naylor's book, citing an unnamed military intelligence officer, reads.One Kaspersky researcher involved with the Slingshot report said the malware campaign illustrated one of the most skilled and sophisticated hacking operations ever to be publicly documented.Baumgartner, a U.S. citizen, did not author the Slingshot report. Instead, a team of four researchers based overseas, largely in Russia, are credited with writing it."It is one of the most technically sophisticated groups we've ever seen," said Baumgartner.the only overlap we've seen, and I think there are people already discussing it, is there's some limitedHacking tools tied to past Equation Group and Lambert-inspired operations were written in English, just like Slingshot. Akin to Grayfish and Lamberts, Slingshot used a distinct software driver abuse technique to install malicious code onto targeted systems.Broadly speaking, Kaspersky's ability to identify even the most advanced malware variants is well-documented; especially within the highly competitive cybersecurity community. Most of these cases are handled by Kaspersky's heralded Global Research & Analysis Team (GReAT) team.It also has a vast business presence in the Middle East.This source told CyberScoop that the Kaspersky researchers lacked context because there's "only so much that can be gleaned from technical evidence."Even so, a cursory review provides some tips that Slingshot be linked to U.S. spies.The malware is comprised of individual modules, each carrying a different title, like "Gollum," "Cahnadr" or "NeedleWatch," according to Kaspersky. A leaked NSA memo released in 2015 describes Gollum as a "partner implant" used by another agency aside from NSA.Classified documents published by WikiLeaks as part of the so-called "Vault 7" dump show that the CIA has been interested in compromising Mikrotik equipment since at least 2015 . Mikrotik products are popular in the Middle East and Southeast Asia.CyberScoop spoke with several U.S. cybersecurity researchers who said they weren't surprised or angered by the fact that Kaspersky had potentially publicized a U.S. cyber-espionage operation.Complicating the matter is the lawsuit Kaspersky has filed against the U.S. government. The 2018 National Defense Authorization Act banned the use of Kaspersky products across the federal government. Kaspersky charges that ban is unconstitutional The ban comes after numerous reports that the company's anti-virus engine was leveraged by Russian spies to remotely pilfer secret U.S. documents on systems where the software was installed. In response, Kaspersky launched a transparency effort in October 2017, which it says proves its products are not malicious.A senior U.S. intelligence official claimed that it would be hard to believe that Kaspersky was totally unaware of what it was handling."It's clear by the way they wrote about this that they knew what it was being used for," said the senior official. "GReAT is extremely adept at understanding the information needs of different actors out there on the internet. They take into considering the geopolitical circumstances, they've shown that time and time again. It would be a stretch for me to believe they didn't know what they're dealing with here."