Cyber-espionage taken to another level, physically

Sep 9, 2015 20:19 GMT  ·  By

For the past 8 years, the Turla APT (Advanced Persistent Threat) group managed to remain invisible by cleverly hiding from law enforcement and cyber-security firms. Now, Kaspersky Lab claims to have identified the way this group succeeded in disguising itself by using satellite Internet connections to hide their C&C (command-and-control) servers.

Turla, a cyber-espionage group which many suspect is made up by Russian-speaking hackers, has been around since 2007, but only last year, Kaspersky security researchers have managed to shed light on their operations.

After another year of sifting through data collected from their clients, Kaspersky's Stefan Tanase says that, by using flaws in the design of older communications satellites, attackers are able to intercept Internet traffic and use it to hide the location of their C&C servers.

An intro into satellite communications

Satellites have been for many decades used in relaying communications across the globe, at faster speeds than using classic underwater cables. They can relay TV, radio, mobile data, and above all, Internet traffic.

Most of the satellites that orbit around the Earth are decades old and do not come with support for encrypted connections, a measure which has become necessary only in recent years.

This particular loophole in the design of these satellites is now being exploited by the Turla group, which uses simple satellites dishes to freely intercept traffic coming down from the satellite to a specific user.

Attackers hijack unencrypted satellite communications

How this all works is quite simple. You have a lot of vulnerable satellites orbiting the Earth sending unencrypted traffic to a desired geographical area.

The Turla hackers buy a satellite dish to intercept that traffic, rent a house in the area where those vulnerable satellites provide coverage, and also get a classic landline Internet connection.

Turla's method of operation
Turla's method of operation

As traffic comes down from the satellite, Turla hackers sniff through its content and see what users are online at that moment, randomly selecting an IP.

This IP is broadcasted to their botnet's infected clients via the landline, clients which then send their stolen data via the satellite connection to the IP of an unsuspecting satellite Internet subscriber.

This is where the sneaky part comes in. Since traffic is unencrypted, Turla hackers can easily perform a MitM (man-in-the-middle) attack and intercept the traffic meant for that IP.

Because the data sent from the infected users via the satellite connection is specifically altered to land on custom ports, usually closed on the target IP, users who had their satellite Internet connection intercepted, never know everything happened because their PC automatically dropped all network packets that landed on that closed port.

100% undetectable botnet C&C servers

Meanwhile, the hackers have the data sent from their clients, all without giving away their real IP to do so.

Since satellites can cover huge areas of a continent, hackers can also easily hide their geographical location, putting hundreds of kilometers between them and the user for which they've intercepted the traffic.

This method allows them full-proof 100% anonymity, something that TOR or classic proxy servers could never truly provide.

Africa is a favorite target for hiding Turla C&C servers

As Kaspersky points out, analyzing the group's actions is also very problematic for security researchers, since the group targets satellites that provide coverage only for regions of Africa and the Middle East.

By choosing satellites in these regions, cyber-security researchers will have to face many difficulties in gaining access to data to analyze.

Additionally, satellites in this region are also of an older model and make, which ensures a broader pool to choose from, compared to regions of Europe and North America where more modern satellites are used, with faster Internet connections, but with support for encrypted communications.

Turla APT operations breakdown (4 Images)

Hackers use satellites to hide C&C traffic
Turla's method of operationTurla's favorite targets
+1more