When you are an APT group, you need to deal with many different problems. One of them, and perhaps the biggest, is the constant seizure and takedown of domains and servers used for command-and-control (C&C). These servers are constantly appropriated by law enforcement or shut down by ISPs. Sometimes they can be used to trace the attackers back to their physical locations.
Some of the most advanced threat actors or users of commercial hacking tools have found a solution to the takedown problem — the use of satellite-based Internet links. In the past, we’ve seen three different actors using such links to mask their operations. The most interesting and unusual of them is the Turla group.
Also known as Snake or Uroburos, names which come from its top class rootkit, the Turla cyber-espionage group has been active for more than 8 years. Several papers have been published about the group’s operations, but until the Epic Turla research was published by Kaspersky Lab, little information was available about the more unusual aspects of their operations, such as the first stages of infection through watering-hole attacks.
What makes the Turla group special is not just the complexity of its tools, which include the Uroboros rootkit, aka “Snake”, as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, but the exquisite satellite-based C&C mechanism used in the latter stages of the attack.
In this blog, we hope to shed more light on the satellite-based C&C mechanisms that APT groups, including the Turla/Snake group, use to control their most important victims. As the use of these mechanisms becomes more popular, it’s important for system administrators to deploy the correct defense strategies to mitigate such attacks.
Security firm Kaspersky has discovered a group of sophisticated Russian-speaking hackers who are secretively siphoning sensitive data via satellites from installations in the United States and Europe.
A group of malicious hackers are using commercial satellites to tap into sensitive information from diplomatic and military agencies across Europe and the United States, according to a report in the Washington Post.
After making the discovery, security firm Kaspersky also contends that the Russian-speaking hackers are using the satellites to hide their location as well as siphon data from it.
The revelation was made in a blog post by Kaspersky Lab.
The hackers behind the sophisticated spying operation are known as Turla, reveals Kaspersky Lab. Turla chose older satellites since they do not encrypt data streamed back to Earth. Moreover, older satellites rely on satellite internet providers around the world, those unsuspecting of espionage activity.
Here is how the satellite hacking scheme works:
- Turla locates and infects a target’s computer by inserting malware on a website frequented by the target. The computer is compromised when accessing the malicious website, otherwise known as a ‘watering hole’ attack.
- Having gained access to the user’s computer, Turla finds the required data and sends the stolen data from the computer to the internet address of a satellite user. A user online via the internet service provided by the satellite ISP.
- Subsequently, Turla gains control of the stream of data beamed from the satellite to the victim’s computer by spoofing the user’s internet address.
- This data is sent to a Turla-controlled server location that is incognito and hidden away from any detection, due to the wide range of the satellite beam that can stretch thousands of miles.
Turla, the Cyberespionage Group
Turla’s activities were initially exposed last year, with the Russian-speaking group conducting cyber espionage campaigns in more than 45 countries, targeting over 500 victims between them.
Stefan Tanase, a senior security researcher at Kaspersky Lab who penned the blog post revealed that Turla, named after the malware it uses for exploiting purposes, has targeted embassies, military, research and pharmaceutical organizations as well as other government agencies.
The list of targeted countries include:
The United States
Russia
Kazhakstan
China
Vietnam and more.
The reasons for the infiltration and the espionage campaigns are to gain unprecedented political and strategic intelligence from multiple countries using exceptional methods, Tanase adds.
Tanase also made the startling revelation that Turla has successfully used this method of tapping into satellites for at least eight years, showcasing skill, sophistication and creativity seldom seen among other hacker groups.
“For us, it was very surprising,” he said, speaking to the Washington Post.
“We’ve never seen a malicious operation that hijacked satellite connections to obtain data and to cover its tracks. This is the first group that we believe has done it. It allows you to achieve a much greater level of anonymity.”
For more details: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/
