Attack Group Uses Satellites for Anonymity
Thursday, September 10, 2015 @ 03:09 PM gHale
The Turla attack group is avoiding detection of its physical location of its Command and Control servers (C&C) by using weaknesses in global satellite networks, researchers said.
The attackers behind Turla, a sophisticated cyberespionage group that has been active for more than eight years, have infected hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States, said researchers at Kaspersky Lab.
The types of organizations that suffered from the attacks include governments and embassies, as well as military, education, research and pharmaceutical companies. For the most high profile targets, the attackers use an extensive satellite-based communication mechanism in the later stages of the attack, which helps them to hide their identity.
Satellite communications are mostly a tool for TV broadcasting, but it can also provide access to the Internet in remote locations where all other types of Internet access are either unstable or not available at all.
One of the most widespread and inexpensive types of satellite-based Internet connection is a downstream-only connection. In a downstream-only connection, all the downstream traffic comes back to the PC unencrypted. That is where Turla comes in.
The Turla group takes advantage of this weakness by using it to hide the location of its C&C servers, one of the most important parts of the malicious infrastructure.
“In the past, we’ve seen at least three different actors using satellite-based Internet links to mask their operations,” said Stefan Tanase, senior security researcher at Kaspersky Lab. “Of these, the solution developed by the Turla group is the most interesting and unusual. They are able to reach the ultimate level of anonymity by exploiting a widely used technology – one-way satellite Internet. The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometers. This makes it almost impossible to track down the attacker.
Discovering the location of such a server can lead investigators to uncover details about the actor behind an operation, so here is what Kaspersky said is how the Turla group is avoiding such risks:
• The group first “listens” to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment.
• They then choose an online IP address to use to mask a C&C server, without the legitimate user’s knowledge.
• The machines infected by Turla then get instructions to exfiltrate data toward the chosen IPs of regular satellite-based Internet users. The data travels through conventional lines to the satellite Internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs.
The legitimate user whose IP address has been used by the attackers to receive data from an infected machine, will also receive these packets of data but will probably not notice them, researchers said.
This is because the Turla attackers instruct infected machines to send data to ports that, in the majority of cases, end up closed by default. As a result, the PC of a legitimate user will simply drop these packets, while the Turla C&C server, which keeps those ports open, will receive and process the exfiltrated data.
In addition, Turla tends to use satellite Internet connection providers located in Middle Eastern and African countries.
In their research, Kaspersky Lab researches found the Turla group using IPs of providers located in countries such as Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the UAE. Satellite beams used by operators in these countries usually do not cover European and North American territories, making it very hard for most of security researchers to investigate such attacks.
“As the use of such methods becomes more popular, it’s important for system administrators to deploy the correct defense strategies to mitigate such attacks,” Tanase said.