Turla cyberespionage group exploits satellite Internet links for anonymity

The group routes traffic to their command-and-control servers through hijacked DVB-S Internet connections

A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.

The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.

The group is known for using highly sophisticated malware for both Windows and Linux operating systems, as well as multistage proxies for bypassing network segmentation and isolation mechanisms.

According to a new report released Wednesday by Kaspersky Lab, the Turla group also has another trick up its sleeves: the hijacking of one-way Internet connections over the DVB-S (Digital Video Broadcasting Satellite) standard.

DVB-S Internet links are still used in some regions of the world where high-speed Internet infrastructure is absent or not well developed.

When using such a connection, the computer requests Internet content over a conventional Internet link, but receives the data from a satellite through a parabolic antenna. With such connections the uplink speed is much slower compared to the downlink one.

The problem is that when a satellite transmits data packets in the wide DVB-S frequency range, those packets are unencrypted and are broadcast to the entire region of the world covered by that satellite. This allows someone with a powerful antenna to intercept and read packets intended for a receiver located far away, for example in a different country.

The Turla attackers are exploiting this weakness in order to hide the real location of their command-and-control servers, researchers from Kaspersky Lab said in their report.

First, the attackers choose the IP (Internet Protocol) address of a person who uses a satellite-based Internet connection and then they configure the domain names for their command-and-control servers to point to that address.

The infected computers will then attempt to contact the unsuspecting user's IP address in order to send stolen data or receive instructions. The traffic will be sent to the user's ISP and will be broadcast through a satellite at which point the attackers, who are sniffing the satellite connections in the region, will intercept it.

They will then send replies to the infected machines over a regular Internet connection, but make them appear as if they were sent by the satellite user's IP address. In order to do this, they need to target an ISP that doesn't protect against IP address spoofing.

The technique is not new and has been presented at security conferences in the past. However, there is evidence that suggests the Turla group has been using it since 2007.

The group prefers to abuse DVB-S Internet providers from countries in the Middle East and Africa. This makes the hijacking hard to detect by security researchers based in the U.S. or Europe since the targeted satellite beams cannot be monitored from those regions.

The method is technically easy to implement and provides better anonymity to attackers than renting a virtual private server from a hosting company or using a hacked server for command and control, the Kaspersky researchers said.

Other APT (advanced persistent threat) groups have been seen using satellite-based Internet links in the past, including Italian surveillance software maker Hacking Team and two cyberespionage groups known as Xumuxu and Rocket Kitten.

"If this method becomes widespread between APT groups or worse, cyber-criminal groups, this will pose a serious problem for the IT security and counter-intelligence communities," the Kaspersky researchers said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?