Turla cyberespionage group exploits satellite Internet links for anonymity

The group routes traffic to their command-and-control servers through hijacked DVB-S Internet connections

A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.

The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.

The group is known for using highly sophisticated malware for both Windows and Linux operating systems, as well as multistage proxies for bypassing network segmentation and isolation mechanisms.

According to a new report released Wednesday by Kaspersky Lab, the Turla group also has another trick up its sleeves: the hijacking of one-way Internet connections over the DVB-S (Digital Video Broadcasting Satellite) standard.

DVB-S Internet links are still used in some regions of the world where high-speed Internet infrastructure is absent or not well developed.

When using such a connection, the computer requests Internet content over a conventional Internet link, but receives the data from a satellite through a parabolic antenna. With such connections the uplink speed is much slower compared to the downlink one.

The problem is that when a satellite transmits data packets in the wide DVB-S frequency range, those packets are unencrypted and are broadcast to the entire region of the world covered by that satellite. This allows someone with a powerful antenna to intercept and read packets intended for a receiver located far away, for example in a different country.

The Turla attackers are exploiting this weakness in order to hide the real location of their command-and-control servers, researchers from Kaspersky Lab said in their report.

First, the attackers choose the IP (Internet Protocol) address of a person who uses a satellite-based Internet connection and then they configure the domain names for their command-and-control servers to point to that address.

The infected computers will then attempt to contact the unsuspecting user's IP address in order to send stolen data or receive instructions. The traffic will be sent to the user's ISP and will be broadcast through a satellite at which point the attackers, who are sniffing the satellite connections in the region, will intercept it.

They will then send replies to the infected machines over a regular Internet connection, but make them appear as if they were sent by the satellite user's IP address. In order to do this, they need to target an ISP that doesn't protect against IP address spoofing.

The technique is not new and has been presented at security conferences in the past. However, there is evidence that suggests the Turla group has been using it since 2007.

The group prefers to abuse DVB-S Internet providers from countries in the Middle East and Africa. This makes the hijacking hard to detect by security researchers based in the U.S. or Europe since the targeted satellite beams cannot be monitored from those regions.

The method is technically easy to implement and provides better anonymity to attackers than renting a virtual private server from a hosting company or using a hacked server for command and control, the Kaspersky researchers said.

Other APT (advanced persistent threat) groups have been seen using satellite-based Internet links in the past, including Italian surveillance software maker Hacking Team and two cyberespionage groups known as Xumuxu and Rocket Kitten.

"If this method becomes widespread between APT groups or worse, cyber-criminal groups, this will pose a serious problem for the IT security and counter-intelligence communities," the Kaspersky researchers said.

Join the CSO newsletter!

Error: Please check your email address.

More about APTDigital VideoKasperskyLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place