{ "id": "0ea48edc-fb90-4664-bc5d-e8432da9d755", "created_at": "2026-04-06T01:29:49.119168Z", "updated_at": "2026-04-10T03:31:17.764785Z", "deleted_at": null, "sha1_hash": "0be7ab4b364e68af4b5f2a115518ffe8771be84b", "title": "Kaspersky’s ‘Slingshot’ report burned an ISIS-focused intelligence operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58006, "plain_text": "Kaspersky’s ‘Slingshot’ report burned an ISIS-focused intelligence\r\noperation\r\nBy Chris Bing, Patrick Howell O'Neill\r\nPublished: 2018-03-20 · Archived: 2026-04-06 00:09:13 UTC\r\nThe U.S. government and Russian cybersecurity giant Kaspersky Lab are currently in the throes of a nasty legal\r\nfight that comes on top of a long-running feud over how the company has conducted itself with regard to U.S.\r\nintelligence-gathering operations.\r\nA recent Kaspersky discovery may keep the feud alive for years to come.\r\nCyberScoop has learned that Kaspersky research recently exposed an active, U.S.-led counterterrorism cyber-espionage operation. According to current and former U.S. intelligence officials, the operation was used to target\r\nISIS and al-Qaeda members.\r\nOn March 9, Kaspersky publicly announced a malware campaign dubbed “Slingshot.” According to the\r\ncompany’s researchers, the campaign compromised thousands of devices through breached routers in various\r\nAfrican and Middle Eastern countries, including Afghanistan, Iraq, Kenya, Sudan, Somalia, Turkey and Yemen.\r\nKaspersky did not attribute Slingshot to any single country or government in its public report, describing it only as\r\nan advanced persistent threat (APT). But current and former U.S. intelligence officials tell CyberScoop that\r\nSlingshot represents a U.S. military program run out of Joint Special Operations Command (JSOC), a component\r\nof Special Operations Command (SOCOM).\r\nThe complex campaign, which researchers say was active for at least six years, allowed for the spread of highly\r\nintrusive malware that could siphon large amounts of data from infected devices.\r\nSlingshot helped the military and intelligence community collect information about terrorists by infecting\r\ncomputers they commonly used, sources told CyberScoop. Often times, these targeted computers would be\r\nlocated within internet cafés in developing countries. ISIS and al-Qaeda targets would use internet cafés to send\r\nand receive messages, the sources said.\r\nThese officials, all of whom spoke on condition of anonymity to discuss a classified program, fear the exposure\r\nmay cause the U.S. to lose access to a valuable, long-running surveillance program and put soldiers’ lives at risk.\r\nThe disclosure comes at a difficult time for Kaspersky. The company is currently fighting the U.S. government in\r\ncourt after the government claimed that the Moscow-based company’s software poses a national security risk due\r\nto the company’s Russian government ties. Kaspersky has consistently denied any wrongdoing.\r\nCyberScoop’s reporting of JSOC’s role in Slingshot provides the first known case of a SOCOM-led cyber-espionage operation. The command is better known for leading physical missions that place elite soldiers on the\r\nhttps://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/\r\nPage 1 of 5\n\nground in hostile territories. Over the last decade, SOCOM has been instrumental in the Global War on Terror,\r\nhaving conducted many sensitive missions, including the one that killed former al-Qaeda leader Osama bin Laden.\r\nSlingshot, CyberScoop has learned, is a complement to JSOC’s physical missions.\r\nA former intelligence official told CyberScoop that Kaspersky’s findings had likely already caused the U.S. to\r\nabandon and “burn” some of the digital infrastructure that JSOC was using to manage the surveillance program.\r\n“SOP [standard operating procedure] is to kill it all with fire once you get caught,” said the former intelligence\r\nofficial. “It happens sometimes and we’re accustomed to dealing with it. But it still sucks … I can tell you this\r\ndidn’t help anyone.”\r\nSOCOM has hackers?\r\nWhile not an intelligence agency by nature, SOCOM has dabbled in cyber-operations — known inside the unit\r\nas “special reconnaissance” — for some time, according to multiple academics who have examined the use of\r\noffensive cyber tools within special operations units. Most of these operations would usually combine elements of\r\nhuman (HUMINT) and signals intelligence (SIGINT) in order to catch terrorists.\r\nAs the Global War on Terror grew, most combatant commands took visible steps and received considerable\r\nfunding to build out their own espionage capabilities. One of the military organizations which benefited most from\r\nthis explosive growth in resources was SOCOM, a unit that many describe as the “tip of the spear” when it comes\r\nto military operations.\r\n“Many units within SOCOM possess independent cyber capabilities,” a senior U.S. intelligence official told\r\nCyberScoop.\r\nThroughout the past decade, SOCOM has used cyber operations in a very ad hoc manner. If cyberwarfare was\r\nused in an operation, SOCOM has either been given support from U.S. Cyber Command or reliant on smaller\r\nsquadrons within various units.\r\nFor instance, a group of hackers organized under the name “Computer Network Operations Squadron” (CNOS),\r\nwere known to operate within JSOC command circa 2007. Though headquartered in Northern Virginia, CNOS\r\nhelped coordinate missions where on-the-ground agents in the Middle East — and sometimes undercover\r\noperatives — would infiltrate internet cafés and local telecommunications firms. The squadron was first written\r\nabout in “Relentless Strike: The Secret History of Joint Special Operations Command,” a book by journalist Sean\r\nNaylor. \r\nNaylor wrote that CNOS staff could be stationed around the world, including at Fort Meade in Maryland and\r\nCIA’s Langley, Virginia, headquarters. CNOS had close connections to CIA, blurring the already fuzzy line\r\nbetween U.S. intel and military organizations.\r\nIn one case mentioned by Naylor’s book, CNOS infected a terrorist’s computer with “keystroke recognition\r\n[software], at other times it would covertly activate a webcam if the computer had one, allowing the task force to\r\npositively identify a target.”\r\nThe Slingshot program found by Kaspersky had similar capabilities.\r\nhttps://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/\r\nPage 2 of 5\n\nSOCOM’s exclusive structure provides an easy way to leverage long-standing intelligence programs, since it is\r\npermitted to quickly organize and deploy forces globally wherever defined rules of engagement exist. Teams like\r\nCNOS, as described by Naylor, are usually able to work closely with intelligence agencies in foreign, undefined\r\nwar-zones after receiving approval from the appropriate regional combatant commands and Pentagon.\r\nJSOC and CIA have a history of working together and when combined, meet a similar profile to how Slingshot\r\nwould be utilized.\r\n“The military kept CNOS in JSOC ‘because we want it to operate in areas that are not necessarily … where we’re\r\ncurrently at war’ … we want it to operate around the globe [pursuing] national objectives,” a passage in Naylor’s\r\nbook, citing an unnamed military intelligence officer, reads. “[CNOS] was how the pesky networks were broken\r\nin Iraq.”\r\nSlingshot’s ties to spies\r\nOne Kaspersky researcher involved with the Slingshot report said the malware campaign illustrated one of the\r\nmost skilled and sophisticated hacking operations ever to be publicly documented. Its creators took numerous\r\nsteps to hide their identity and purpose, making Slingshot extremely difficult to study, explained Kurt\r\nBaumgartner, a principal security researcher with Kaspersky.\r\nBaumgartner, a U.S. citizen, did not author the Slingshot report. Instead, a team of four researchers based\r\noverseas, largely in Russia, are credited with writing it.\r\n“It is one of the most technically sophisticated groups we’ve ever seen,” said Baumgartner. “Most of the code is\r\nentirely unique, meaning that no one has ever seen it before … the only overlap we’ve seen, and I think there are\r\npeople already discussing it, is there’s some limited similarities maybe to Equation Grayfish and White Lambert.”\r\n“Grayfish” is a software implant associated with the “Equation Group,” an entity that is widely attributed to the\r\nNational Security Agency. The “Lamberts,” another group identified and first catalogued by Kaspersky, has been\r\nseparately linked to the CIA.\r\nHacking tools tied to past Equation Group and Lambert-inspired operations were written in English, just like\r\nSlingshot. Akin to Grayfish and Lamberts, Slingshot used a distinct software driver abuse technique to install\r\nmalicious code onto targeted systems. They are the only three documented APTs to use this exact same driver\r\nabuse method.\r\nBroadly speaking, Kaspersky’s ability to identify even the most advanced malware variants is well-documented;\r\nespecially within the highly competitive cybersecurity community. Most of these cases are handled by\r\nKaspersky’s heralded Global Research \u0026 Analysis Team (GReAT) team. The Russian company is known for\r\nemploying some of the best reverse malware engineers and analysts in the entire industry.\r\nIt also has a vast business presence in the Middle East. Slingshot was discovered through the company’s work in\r\nthat region.\r\nA source close to Kaspersky Lab told CyberScoop that while some researchers may have thought Slingshot was\r\nthe work of a “Five Eyes” nation — a term used to describe an intelligence alliance between Australia, Canada,\r\nhttps://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/\r\nPage 3 of 5\n\nNew Zealand, the United Kingdom and the U.S. — they couldn’t have known for sure. This source told\r\nCyberScoop that the Kaspersky researchers lacked context because there’s “only so much that can be gleaned\r\nfrom technical evidence.”\r\nQuestions sent to the Russian company regarding if they knew about Slingshot’s U.S. military origin went\r\nunanswered.\r\nEven so, a cursory review provides some tips that Slingshot be linked to U.S. spies.\r\nThe malware is comprised of individual modules, each carrying a different title, like “Gollum,” “Cahnadr” or\r\n“NeedleWatch,” according to Kaspersky.  A leaked NSA memo released in 2015 describes Gollum as a “partner\r\nimplant” used by another agency aside from NSA. The memo, circulated between Five Eyes nations, talks about\r\nthe need to create an accessible data pipeline that pulls information from infected computers where an active\r\nimplant is hidden.\r\nIn addition to “Gollum,” the way Slingshot exploits routers made by Latvian company Mikrotik could perhaps be\r\ntraced back to another spy agency: the CIA. Classified documents published by WikiLeaks as part of the so-called\r\n“Vault 7” dump show that the CIA has been interested in compromising Mikrotik equipment since at least 2015.\r\nMikrotik products are popular in the Middle East and Southeast Asia.\r\nSpokespeople for the Office of the Director of National Intelligence, NSA and Special Operations Command\r\n(SOCOM) all declined to comment.\r\nAdding fuel to the fire\r\nCyberScoop spoke with several U.S. cybersecurity researchers who said they weren’t surprised or angered by the\r\nfact that Kaspersky had potentially publicized a U.S. cyber-espionage operation.\r\nThese experts, who asked for anonymity because they feared blowback for speaking publicly, said that it’s only\r\nnatural for Kaspersky to attempt to stop cyberattacks aimed at its clients. Others who spoke to CyberScoop,\r\nhowever, including current U.S. officials, said they were angry because publicly disclosing Slingshot may\r\nput lives in danger.\r\nComplicating the matter is the lawsuit Kaspersky has filed against the U.S. government. The 2018 National\r\nDefense Authorization Act banned the use of Kaspersky products across the federal government. Kaspersky\r\ncharges that ban is unconstitutional.\r\nThe ban comes after numerous reports that the company’s anti-virus engine was leveraged by Russian spies to\r\nremotely pilfer secret U.S. documents on systems where the software was installed. In response, Kaspersky\r\nlaunched a transparency effort in October 2017, which it says proves its products are not malicious.\r\nAt the moment, it’s not clear if the Russian company expected that its focus on Slingshot would eventually expose\r\na sensitive U.S. counterterrorism initiative.\r\nA senior U.S. intelligence official claimed that it would be hard to believe that Kaspersky was totally unaware of\r\nwhat it was handling.\r\nhttps://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/\r\nPage 4 of 5\n\n“It’s clear by the way they wrote about this that they knew what it was being used for,” said the senior official.\r\n“GReAT is extremely adept at understanding the information needs of different actors out there on the internet.\r\nThey take into considering the geopolitical circumstances, they’ve shown that time and time again. It would be a\r\nstretch for me to believe they didn’t know what they’re dealing with here.”\r\nGreg Otto contributed to this report. \r\nSource: https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/\r\nhttps://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" ], "report_names": [ "kaspersky-slingshot-isis-operation-socom-five-eyes" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3", "created_at": "2023-01-06T13:46:38.995743Z", "updated_at": "2026-04-10T02:00:03.175285Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "MISPGALAXY:Slingshot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2", "created_at": "2022-10-25T16:07:24.198891Z", "updated_at": "2026-04-10T02:00:04.897342Z", "deleted_at": null, "main_name": "Slingshot", "aliases": [], "source_name": "ETDA:Slingshot", "tools": [ "Cahnadr", "GollumApp", "NDriver" ], "source_id": "ETDA", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775438989, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0be7ab4b364e68af4b5f2a115518ffe8771be84b.pdf", "text": "https://archive.orkl.eu/0be7ab4b364e68af4b5f2a115518ffe8771be84b.txt", "img": "https://archive.orkl.eu/0be7ab4b364e68af4b5f2a115518ffe8771be84b.jpg" } }