According to a new analysis published by the experts at Kaspersky Lab reported that the popular Turla APT group exploited poorly secured satellite infrastructure to hide command-and-control operations.
Turla APT was active in the last decade, security experts consider it a state-sponsored group of Russian hackers involved in long-running espionage campaigns.
The Turla APT hit more than 500 victims in 45 different countries worldwide, government agencies, military and diplomatic entities are privileged targets of the group.
The exploitation of satellite-based Internet connections offers some important advantages, such as making it difficult to identify the threat actors and the location of the C&C server.
Another advantage for the usage of hijacked downstream-only links is the low cost, nearly $1,000 a year, the bad actors use them to control the infected machine.
“On the one hand, it’s valuable because the true location and hardware of the C&C server cannot be easily determined or physically seized. Satellite-based Internet receivers can be located anywhere within the area covered by a satellite, and this is generally quite large. The method used by the Turla group to hijack the downstream links is highly anonymous and does not require a valid satellite Internet subscription.
Kaspersky explained that Turla APT used to hijack satellite DVB-S (digital video broadcasting satellite) links, in a way similar to the one presented at Black Hat in 2010. This technique requires minimal equipment including a satellite dish, a low-noise block downconverter, a dedicated DVB-S tuner on a PCIe card made by TBS Technologies, and a Linux PC.
“The TBS card is particularly well-suited to this task because it has dedicated Linux kernel drivers and supports a function known as a brute-force scan which allows wide frequency ranges to be tested for interesting signals,” the researchers wrote. “Of course, other PCI or PCIe cards might work as well, while, in general the USB-based cards are relatively poor and should be avoided.”
On the other hand, the disadvantage comes from the fact that satellite-based Internet is slow and can be unstable.” states the reports.
The experts at Kaspersky speculates that the Turla APT group, like other APTs, turn to satellite-based Internet links for C&C for mainly to avoid botnet takedowns by law enforcement and ISPs.
As explained in the report, both the legitimate users and attackers use satellite communications pointing satellite dishes point to the specific satellite that is broadcasting the traffic. The principal problem when dealing with satellite communications is that packets are unencrypted allowing attackers to abuse communication channels.
“Once an IP address that is routed through the satellite’s downstream link is identified, the attackers start listening for packets coming from the internet to this specific IP,” the researchers wrote. “When such a packet is identified, for instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the source using a conventional Internet line.”
The experts also highlighted that due to slow links, firewalls are recommended and used to simply DROP packets to closed ports instead sending back a RST or FIN packet to the source. This circumstance is exploited by attackers.
The Turla APT has been abusing DVB-S (digital video broadcasting satellite) Internet providers in the Middle East and Africa, because their satellite beams do not cover Europe or Asia, far from the prying eyes of security firms that could uncover their operations.
The use of satellite links to control botnet is not an exclusive of the Turla APT, researchers observed other APTs and security firms relying on satellites to manage their malware such as Rocket Kitten, Xumuxu, and the Italian Hacking Team.
Enjoy the report!
(Security Affairs –Turla APT, cyber espionage)