A recently published Kaspersky Lab report that exposed a sophisticated, six-year cyber-espionage campaign targeting the Middle East and Africa disrupted an active counter-terrorism operation, according to a news article this week by CyberScoop, citing current and former US intelligence officials.
The APT campaign, called Slingshot, leveraged compromised routers and probably Windows exploits to infect targets with advanced spyware that provided kernel-level access to screenshots, keyboard activity, network data, passwords, USB connections, desktop activity, clipboard savings, personal information and more. Although the Kaspersky report didn't explicitly attribute the campaign to a particular actor, the company noted that clues in the actor's code and technique pointed to the CIA, while the campaign itself bore some similarities to past NSA malware programs.
As it turns out, officials reportedly told CyberScoop the programme was the work of the Joint Special Operations Command (JSOC), a component of the US Department of Defense's Special Operations Command (SOCOM), a unit not traditionally known for engaging in cyber-activity.
Reportedly, JSOC's Slingshot campaign was leveraging malware called GollumApp and Canhadr to exfiltrate information from computers that terrorists commonly use in internet cafes. A former intelligence official was quoted in the news report as saying the US likely has already abandoned and burned the digital infrastructure behind the campaign, following Kaspersky's exposé.
Reportedly worried the US may have lost a valuable surveillance programme that helped protect its soldiers -- a concern that could make the relationship between Kaspersky and the US even frostier, after Congress and the Department of Homeland Security banned the federal use of Kaspersky products due to fears they were being used by Russia to spy on American assets.