Routers, both the big corporate kind and the small one gathering dust in the corner of your home, have long made an attractive target for hackers. They're always on and connected, often full of unpatched security vulnerabilities, and offer a convenient chokepoint for eavesdropping on all the data you pipe out to the internet. Now security researchers have found a broad, apparently state-sponsored hacking operation that goes a step further, using hacked routers as a foothold to drop highly sophisticated spyware even deeper inside a network, onto the computers that connect to those compromised internet access points.

Researchers at security firm Kaspersky on Friday revealed a long-running hacking campaign, which they call "Slingshot," that they believe planted spyware on more than a hundred targets in 11 countries, mostly in Kenya and Yemen. The hackers gained access to the deepest level of victim computers' operating system, known as the kernel, taking full control of target machines. And while Kaspersky's researchers haven't yet determined how the spyware initially infected the majority of those targets, in some cases the malicious code had been installed via small-business-grade routers sold by the Latvian firm MikroTik, which the Slingshot hackers had compromised.

Unlike previous router-hacking campaigns that have used routers themselves as eavesdropping points—or the far more common home router hacks that use them as fodder for distributed-denial-of-service attacks aimed at taking down websites—the Slingshot hackers appear to have instead exploited routers' position as a little-scrutinized foothold that can spread infections to sensitive computers within a network, allowing deeper access to spies. Infecting a router at a business or coffee shop, for instance, would then potentially give access to a broad range of users.

"It’s quite an overlooked place," says Kaspersky researcher Vicente Diaz. "If someone is performing a security check of an important person, the router is probably the last thing they’ll check... It’s quite easy for an attacker to infect hundreds of these routers, and then you have an infection inside their internal network without much suspicion."

Infiltrating Internet Cafes?

Kaspersky research director Costin Raiu offered one theory as to Slingshot's targets: Internet cafes. MikroTik routers are particularly popular in the developing world, where internet cafes remain common. And while Kaspersky detected the campaign's spyware on machines using consumer-grade Kaspersky software, the routers it targeted were designed for networks of dozens of machines. "They're using home user licenses, but who has 30 computers at home?" Raiu says. "Maybe not all are internet cafes, but some are."

The Slingshot campaign, which Kaspersky believes persisted undetected for the last six years, exploits MikroTik's "Winbox" software, which is designed to run on the user's computer to allow them to connect to and configure the router, and in the process downloads a collection of dynamic link library, or .dll, files from the router to the user's machine. When infected with Slingshot's malware, a router includes a rogue .dll in that download that transfers to the victim's machine when they connect to the network device.

'It’s quite easy for an attacker to infect hundreds of these routers.' Vicente Diaz, Kaspersky

That .dll serves as the foothold on the target computer, and then itself downloads a collection of spyware modules onto the target PC. Several of those modules function, like most programs, in normal "user" mode. But another, known as Cahnadr, runs with deeper kernel access. Kaspersky describes that kernel spyware as the "main orchestrator" of Slingshot's multiple PC infections. Together, the spyware modules have the ability to collect screenshots, read information from open windows, read the contents of the computer's hard drive and any peripherals, monitor the local network, and log keystrokes and passwords.

Kaspersky's Raiu speculates that perhaps Slingshot would use the router attack to infect an internet cafe administrator's machine and then use that access to spread to the PCs it offered to customers. "It’s quite elegant, I think," he added.

An Unknown Infection Point

Slingshot still presents plenty of unanswered questions. Kaspersky doesn't actually know if routers served as the initial point of infection for many of the Slingshot attacks. It also concedes that it’s not exactly sure how the initial infection of the MikroTik routers took place in the cases where they were used, though it points to one MikroTik router hacking technique mentioned last March in WikiLeaks' Vault7 collection of CIA hacking tools known as ChimayRed.