Menu
Turla cyberespionage group exploits satellite Internet links for anonymity

Turla cyberespionage group exploits satellite Internet links for anonymity

The group routes traffic to their command-and-control servers through hijacked DVB-S Internet connections

A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.

The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.

The group is known for using highly sophisticated malware for both Windows and Linux operating systems, as well as multistage proxies for bypassing network segmentation and isolation mechanisms.

According to a new report released Wednesday by Kaspersky Lab, the Turla group also has another trick up its sleeves: the hijacking of one-way Internet connections over the DVB-S (Digital Video Broadcasting Satellite) standard.

DVB-S Internet links are still used in some regions of the world where high-speed Internet infrastructure is absent or not well developed.

When using such a connection, the computer requests Internet content over a conventional Internet link, but receives the data from a satellite through a parabolic antenna. With such connections the uplink speed is much slower compared to the downlink one.

The problem is that when a satellite transmits data packets in the wide DVB-S frequency range, those packets are unencrypted and are broadcast to the entire region of the world covered by that satellite. This allows someone with a powerful antenna to intercept and read packets intended for a receiver located far away, for example in a different country.

The Turla attackers are exploiting this weakness in order to hide the real location of their command-and-control servers, researchers from Kaspersky Lab said in their report.

First, the attackers choose the IP (Internet Protocol) address of a person who uses a satellite-based Internet connection and then they configure the domain names for their command-and-control servers to point to that address.

The infected computers will then attempt to contact the unsuspecting user's IP address in order to send stolen data or receive instructions. The traffic will be sent to the user's ISP and will be broadcast through a satellite at which point the attackers, who are sniffing the satellite connections in the region, will intercept it.

They will then send replies to the infected machines over a regular Internet connection, but make them appear as if they were sent by the satellite user's IP address. In order to do this, they need to target an ISP that doesn't protect against IP address spoofing.

The technique is not new and has been presented at security conferences in the past. However, there is evidence that suggests the Turla group has been using it since 2007.

The group prefers to abuse DVB-S Internet providers from countries in the Middle East and Africa. This makes the hijacking hard to detect by security researchers based in the U.S. or Europe since the targeted satellite beams cannot be monitored from those regions.

The method is technically easy to implement and provides better anonymity to attackers than renting a virtual private server from a hosting company or using a hacked server for command and control, the Kaspersky researchers said.

Other APT (advanced persistent threat) groups have been seen using satellite-based Internet links in the past, including Italian surveillance software maker Hacking Team and two cyberespionage groups known as Xumuxu and Rocket Kitten.

"If this method becomes widespread between APT groups or worse, cyber-criminal groups, this will pose a serious problem for the IT security and counter-intelligence communities," the Kaspersky researchers said.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments