Slingshot malware that attacks routers may be state-sponsored espionage tool

Keeping up with security updates for our various connected devices could be a full-time job. Whether it’s our smartphones, our PCs, our home assistants, or other devices, seemingly not a day goes by that we don’t hear about one security vulnerability or another. This time around, it’s the most central device in our networks, the router, that’s under attack.

Kaspersky recently reported on a new, fairly sophisticated, attack on MikroTik routers that its researchers described during the company’s Security Analyst Summit. Dubbed Slingshot, the vulnerability is a rather tricky piece of malware that can collect all kinds of information from PCs that are attacked via a compromised router — including screenshots, passwords, keyboard data, and other information.

While Kaspersky notified MikroTik of the issue and that company has already resolved the vulnerability, Kaspersky believes that other routers could still be affected. What makes Slingshot so potentially dangerous is that it piggybacks on legitimate router downloads and file executions — in this case, DLL files — which are used to infect PCs with kernel-mode malware that runs on affected machines without causing crashes. This malware, dubbed Cahnadr, joins with another piece called GollumApp that gives attackers “complete control” over a PC.

Digging into the details of the vulnerability, it’s obvious that the malware is particularly sophisticated, so much so that Kaspersky’s researchers suspect it’s the work of a group that’s highly organized, professional, and indeed likely to be state-sponsored. Given the kind of information that the malware seeks out, it’s also likely that it’s designed to perform cyber-espionage, and given that it can access the system at a very low level it’s capable of stealing any kind of information that exists on an infected PC.

There’s nothing we can do in response to attacks like Slingshot other than the single most important step: make sure that all of our devices are fully updated. Installing all OS and hardware updates is more important than ever, and that’s true not just for the most visible devices we use every day, like our smartphones and PCs, but also those hidden devices like routers that can serve as attack vectors for every other device on our networks.

Kaspersky has identified a router malware, dubbed Slingshot, that attacks local PCs and steals information. It’s so sophisticated that it’s likely state-sponsored and it’s clearly aimed at cyber-espionage.