Russian-speaking hackers with the cyberespionage group Turla have found a way to exploit weaknesses in global satellite networks to steal data while disguising the locations of their computers, the security firm Kaspersky Lab has revealed.
Researchers at the firm said the hacking group, which has infected hundreds of computers in nearly four dozen countries over its eight-plus years of operation, has found an “exquisite” way to steal information by infecting the computers of Internet users connecting via satellite.
The strategy allows Turla — also sometimes called “Snake” or “Uroburos” — to appropriate the IP identities of legitimate satellite Internet users, and use their connections to exfiltrate data, usually without the users’ knowledge. Stolen data is directed to Turla’s command-and-control servers, which are used to deploy malware on victims’ machines.
Another factor that makes it hard for investigators to locate Turla’s members is their choice of IP addresses: the group concentrates on addresses belonging to satellite Internet service providers in the Middle East and Africa. These operators rarely operate in Europe or North America, making it difficult for security researchers — many of whom are based in the EU or U.S. — to investigate attacks.
‘Exquisite’ Hacking Strategy
“When you are an APT (advanced persistent threat) group, you need to deal with many different problems,” Kaspersky researcher Stefan Tanase said on the company’s SecureList blog. “One of them, and today perhaps the biggest, is the constant seizure and takedown of domains and servers used for command-and-control (C&C).”
C&C servers are constantly at risk of being shut down, either by law enforcement officials or ISPs, Tanase noted. They can also sometimes be used to trace hackers back to their physical locations, he said.
“Some of the most advanced threat actors or users of commercial hacking tools have found a solution to the takedown problem — the use of satellite-based Internet links,” Tanase said. “The most interesting and unusual of them is the Turla group.” Turla uses an “exquisite satellite-based C&C mechanism” in the latter part of its attacks, he added.
The group’s approach hinges on a unique aspect of satellite-based Internet communication. Used mostly in difficult-to-access locations lacking other reliable links to the Internet, satellite-based networking can be expensive. Users can mitigate their costs by using conventional connections — either wired or general packet radio service — to send incoming traffic to a satellite, then take advantage of less-expensive, downstream-only satellite connections for outgoing traffic. The trouble with downstream-only connections is that data arrives back at the requesting PC unencrypted.
Potential To Become a Larger Threat
Turla starts an attack by “listening” to downstream satellite traffic to identify active IP addresses being used to access the Internet, according to Kaspersky. The hackers then use the IP addresses to mask and direct data back to their own C&C servers. The traffic usually goes unnoticed by the target, as it’s directed to ports on their computers that are usually closed by default. Turla keeps those ports open on its own C&C servers to receive and process the stolen data.
“The links are generally up for several months, but never for too long,” Tanase said. “It is unknown if this is due to operational security limitations self-imposed by the group or because of shutdown by other parties due to malicious behavior.”
Security software can block the malware used to launch Turla attacks, the company said. “If this method becomes widespread between APT groups or worse, cybercriminal groups, this will pose a serious problem for the IT security and counter-intelligence communities,” Tanase said.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
