Russian hacker group taps satellite links for attacks
- By George Leopold
- Sep 10, 2015
They are called advanced persistent threat groups and according to a new forensic analysis, they are descending from the sky to potentially threaten counter-intelligence agencies, using the weak security in some satellite communications to cover their tracks.
Among the major hurdles for so-called APT operators such as the Turla cyber-espionage group, is maintaining command and control after their attacks are detected and their exploited domains and servers are shut down by ISPs. New research published by Moscow-based Kaspersky Lab concludes that Turla and other advanced users of commercial hacking tools have found a way around the terrestrial takedown problem: They are exploiting satellite-based Internet links.
Turla is a sophisticated group believed to be sponsored by the Russian government and is suspected in attacks on Eastern European governments and embassies.
In a Sept. 9 blog post, the company said it has detected the Turla group and two others using satellite links to "mask their operations." According to analyst Stefan Tanese, "What makes the Turla group special is not just the complexity of its tools…but the exquisite satellite-based [command and control] mechanism used in the latter stages of the attack."
Turla is a sophisticated cyber-espionage group that has active for more than eight years. It is thought to be behind attacks infecting hundreds of computers in as many as 45 countries, including China, Russia and the United States. (Turla's "infection rate" in the U.S. is considered "medium," Kaspersky Lab reckons.)
The company said satellite-based attacks were first detected around 2007 but remain relatively rare. Most often, space links are used to mask attacks by exploiting satellite command and control infrastructure.
While satellite links are slow and unstable depending on weather conditions, the masking approach is effective "because the true location and hardware of the [command and control] server cannot be easily determined or physically seized," Tanese noted. "Satellite-based Internet receivers can be located anywhere within the area covered by a satellite."
Moreover, satellite-based Internet can often be pirated without a valid Internet subscription, and the Turla group is known to have exploited downstream links to mask its hacking operations. The technique is "highly anonymous," Tanese noted.
Kaspersky Labs said it attempted to determine whether Turla and other attackers had actually purchased satellite links or were breaching ISPs in what are known as "man-in-the-middle" attacks in which a data stream is hijacked at the router level. It concluded that the method used by Turla is "incredibly simple and straightforward," exploiting IP addresses belonging to satellite Internet providers in the Middle East and Africa.
"The group tends to choose providers that use satellites that are limited to only covering that area of Africa," the cyber analyst reported. "This makes it extremely hard for researchers from countries outside the continent to investigate the activity of the Turla group."
Further, the analyst found that the primary means of exploiting Internet satellite services was hijacking Digital Video Broadcast-Satellite (DVB-S) links, which, unlike full-duplex satellite-based Internet signals, are unencrypted, making them ripe for abuse. That requires only a DVB-S tuner (usually in the form of a PCIe card), a satellite dish sized and pointed relative to the user's location to the satellite, a down-converter and a computer, preferably running Linux.
"The technical method used to implement these Internet circuits relies on hijacking downstream bandwidth from various ISPs and packet-spoofing," or creating Internet Protocol packets using a phony source IP address, Tanese concluded. "If this method becomes widespread [among] APT groups or worse, cyber-criminal groups, this will pose a serious problem for the IT security and counter-intelligence communities."