Menu
Turla cyberespionage group exploits satellite Internet links for anonymity

Turla cyberespionage group exploits satellite Internet links for anonymity

The group routes traffic to their command-and-control servers through hijacked DVB-S Internet connections

A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.

The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.

The group is known for using highly sophisticated malware for both Windows and Linux operating systems, as well as multistage proxies for bypassing network segmentation and isolation mechanisms.

According to a new report released Wednesday by Kaspersky Lab, the Turla group also has another trick up its sleeves: the hijacking of one-way Internet connections over the DVB-S (Digital Video Broadcasting Satellite) standard.

DVB-S Internet links are still used in some regions of the world where high-speed Internet infrastructure is absent or not well developed.

When using such a connection, the computer requests Internet content over a conventional Internet link, but receives the data from a satellite through a parabolic antenna. With such connections the uplink speed is much slower compared to the downlink one.

The problem is that when a satellite transmits data packets in the wide DVB-S frequency range, those packets are unencrypted and are broadcast to the entire region of the world covered by that satellite. This allows someone with a powerful antenna to intercept and read packets intended for a receiver located far away, for example in a different country.

The Turla attackers are exploiting this weakness in order to hide the real location of their command-and-control servers, researchers from Kaspersky Lab said in their report.

First, the attackers choose the IP (Internet Protocol) address of a person who uses a satellite-based Internet connection and then they configure the domain names for their command-and-control servers to point to that address.

The infected computers will then attempt to contact the unsuspecting user's IP address in order to send stolen data or receive instructions. The traffic will be sent to the user's ISP and will be broadcast through a satellite at which point the attackers, who are sniffing the satellite connections in the region, will intercept it.

They will then send replies to the infected machines over a regular Internet connection, but make them appear as if they were sent by the satellite user's IP address. In order to do this, they need to target an ISP that doesn't protect against IP address spoofing.

The technique is not new and has been presented at security conferences in the past. However, there is evidence that suggests the Turla group has been using it since 2007.

The group prefers to abuse DVB-S Internet providers from countries in the Middle East and Africa. This makes the hijacking hard to detect by security researchers based in the U.S. or Europe since the targeted satellite beams cannot be monitored from those regions.

The method is technically easy to implement and provides better anonymity to attackers than renting a virtual private server from a hosting company or using a hacked server for command and control, the Kaspersky researchers said.

Other APT (advanced persistent threat) groups have been seen using satellite-based Internet links in the past, including Italian surveillance software maker Hacking Team and two cyberespionage groups known as Xumuxu and Rocket Kitten.

"If this method becomes widespread between APT groups or worse, cyber-criminal groups, this will pose a serious problem for the IT security and counter-intelligence communities," the Kaspersky researchers said.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Show Comments