Slingshot Router Malware Won't Hurt You — But Protect Yourself Anyway

Slingshot, discovered by Kaspersky Lab, is one of the more interesting pieces of recently discovered malware. From an everyday threat standpoint, it’s negligible, having infected 100 or so PCs in the last six years. However, from an international conspiracy standpoint, Slingshot would feel right at home in a spy thriller.

Credit: Public Domain

(Image credit: Public Domain)

Here’s what Kaspersky Lab discovered, in an exhaustive 25-page research paper (and a much more digestible FAQ): Slingshot is a piece of malware that can compromise any device on a network, down to the deepest kernel levels. However, it doesn’t live on PCs or smartphones; the malware installs directly onto routers, particularly those from Latvian manufacturer Mikrotik.

MORE: Best Wi-Fi Routers

How to Protect Yourself

Even if you’re not running a Mikrotik router, Kaspersky allowed that “some victims may have been infected through other routes.” If you haven’t updated your router firmware recently (or ever), now is as good a time to do that as any. Check out our guide to keeping routers up-to-date, and make sure that you repeat the process once every month or two. Slingshot is by no means the only router-centric threat out there.

Remember that even though it’s not easy to see what your router does directly, it’s responsible for every piece of Internet traffic that travels through your home or workplace. It doesn’t matter how thoroughly you’ve protected your computer; if your router’s firmware has holes in it, cybercriminals could draft your computer into a botnet, force it to mine cryptocurrency or just steal all of your social media, email and financial logins.

How Slingshot Happened

The exact attack vector is not clear, but Slingshot replaced a Microtik software called Winbox with a compromised, nearly identical version. This software could then — through a process that’s too complex and involved to explain in brief — gather any information that goes through the router’s network, and exfiltrate it to a foreign server.

Interestingly, this doesn’t appear to be a concentrated Latvian effort at data-sniffing. Kaspersky Lab called Slingshot “very expensive, complex and well-designed,” as well as “professional and probably state-sponsored.” The 100 or so computers targeted were all located in Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.

The company didn’t hazard a direct guess as to which organization might have programmed it, but contextual clues led researchers to believe that the Slingshot masterminds are both native English-speakers and J.R.R. Tolkien aficionados. The CIA, MI5 or a similar organization is not out of the question.

Mikrotik does sell a handful of routers in the U.S., but even if you’re one of the twelve or so people who own one, there’s no evidence that Slingshot has targeted any systems in the West.

Still, as is the case with so many routers, the problem isn’t Mikrotik’s firmware, per se — it’s that no one ever updates his or her router. Mikrotik’s latest router firmware patches the hole that allowed Slingshot to take root. If you’re running a Mikrotik router and haven’t updated the firmware in the last, well, six years, you should download the appropriate package from its website.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.