Satellites Being Used For Cyber-Attacks By Russian Hackers (Video)
Posted by: Jon Ben-Mayor on 09/10/2015 09:00 AM
[
Comments
]
Kaspersky Labs documents a Russian cyber-espionage group that is exploiting satellites in order to obscure their illegal activities.
In a press release Kaspersky says, while investigating the infamous Russian-speaking cyber-espionage actor Turla, Kaspersky Lab researchers have discovered how it’s evading detection of its activity and physical location. As a solution for anonymity, the group uses security weaknesses in global satellite networks.
Turla is a sophisticated cyber-espionage group that has been active for more than eight years. The attackers behind Turla have infected hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. The types of organizations that have been affected include government institutions and embassies, as well as military, education, research and pharmaceutical companies. For the most high profile targets, the attackers use an extensive satellite-based communication mechanism in the later stages of the attack, which helps them to hide their traces.hile investigating the infamous Russian-speaking cyber-espionage actor Turla, Kaspersky Lab researchers have discovered how it’s evading detection of its activity and physical location. As a solution for anonymity, the group uses security weaknesses in global satellite networks.
Satellite communications are known mostly as a tool for TV broadcasting, but it can also provide access to the Internet in remote locations where all other types of Internet access are either unstable or not available at all. One of the most widespread and inexpensive types of satellite-based Internet connection is a downstream-only connection.
In a downstream-only connection, all the downstream traffic comes back to the PC unencrypted. The Turla group takes advantage of this weakness by using it to hide the location of its Command and Control servers (C&C), one of the most important parts of the malicious infrastructure. Discovering the location of such a server can lead investigators to uncover details about the actor behind an operation, so here’s how the Turla group is avoiding such risks:
The group first “listens” to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment. They then choose an online IP address to be used to mask a C&C server, without the legitimate user’s knowledge.
The machines infected by Turla are then instructed to exfiltrate data towards the chosen IPs of regular satellite-based Internet users. The data travels through conventional lines to the satellite Internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs.
Interestingly, the legitimate user whose IP address has been used by the attackers to receive data from an infected machine, will also receive these packets of data but will barely probably not notice them. This is because the Turla attackers instruct infected machines to send data to ports that, in the majority of cases, are closed by default. As a result, the PC of a legitimate user will simply drop these packets, while the Turla C&C server, which keeps those ports open, will receive and process the exfiltrated data.
Awesome!
Turla is a sophisticated cyber-espionage group that has been active for more than eight years. The attackers behind Turla have infected hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. The types of organizations that have been affected include government institutions and embassies, as well as military, education, research and pharmaceutical companies. For the most high profile targets, the attackers use an extensive satellite-based communication mechanism in the later stages of the attack, which helps them to hide their traces.hile investigating the infamous Russian-speaking cyber-espionage actor Turla, Kaspersky Lab researchers have discovered how it’s evading detection of its activity and physical location. As a solution for anonymity, the group uses security weaknesses in global satellite networks.
Satellite communications are known mostly as a tool for TV broadcasting, but it can also provide access to the Internet in remote locations where all other types of Internet access are either unstable or not available at all. One of the most widespread and inexpensive types of satellite-based Internet connection is a downstream-only connection.
In a downstream-only connection, all the downstream traffic comes back to the PC unencrypted. The Turla group takes advantage of this weakness by using it to hide the location of its Command and Control servers (C&C), one of the most important parts of the malicious infrastructure. Discovering the location of such a server can lead investigators to uncover details about the actor behind an operation, so here’s how the Turla group is avoiding such risks:
The group first “listens” to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment. They then choose an online IP address to be used to mask a C&C server, without the legitimate user’s knowledge.
The machines infected by Turla are then instructed to exfiltrate data towards the chosen IPs of regular satellite-based Internet users. The data travels through conventional lines to the satellite Internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs.
Interestingly, the legitimate user whose IP address has been used by the attackers to receive data from an infected machine, will also receive these packets of data but will barely probably not notice them. This is because the Turla attackers instruct infected machines to send data to ports that, in the majority of cases, are closed by default. As a result, the PC of a legitimate user will simply drop these packets, while the Turla C&C server, which keeps those ports open, will receive and process the exfiltrated data.
Awesome!

Comments