SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
14 Sep 2015

Russian-speaking cyber spies exploit satellites

Turla APT group, also known as Snake and Uroboros, is one the most advanced threat actors in the world.

This cyber espionage group has been active for more than 8 years, but little was known about its operations until last year, when Epic Turla research was published. 

Specifically, this research included examples of language artifacts, showing that part of the Turla are Russian-speakers. These people employ codepage 1251, which is commonly used to render Cyrillic characters, and words like ‘Zagruzchik,’ which means, “boot loader” in Russian. What makes the Turla group especially dangerous and difficult to catch is not just the complexity of its tools, but the exquisite satellite-based command-and-control (C&C) mechanism implemented in the final stages of the attack. Command-and-control servers are the base of advanced cyber-attacks. At the same time, it’s the weakest link in malicious infrastructure, and is always targeted by digital investigators and law enforcement agencies.

There are two good reasons for that. Firstly, these servers are used to control all of the operations. If you could shut them down, you could disturb or even disrupt the cyber campaign. Secondly, C&C servers can be used to trace attackers back to their physical locations. That’s why threat actors are always trying to hide C&C as deep as possible. The Turla group has found quite effective way to do it: they conceal servers’ IPs in the sky. 

One of the most widespread and inexpensive types of satellite-based Internet connection is a downstream-only connection. In this case, outgoing data from a user’s PC is carried via conventional lines — a wired or cellular, — while all the incoming traffic comes from the satellite.

However, this technology has one peculiarity: all the downstream traffic comes from the satellite to the PC unencrypted. Simply put, anyone can intercept the traffic. The Turla group uses this flaw in a new and quite interesting way: to hide their own C&C traffic.

What exactly they do is the following:

  1. They listen to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment.
  2. Then they choose a number of currently active IP addresses to be used for masking a C&C server without the legitimate user’s knowledge.
  3. The machines infected by Turla get the instruction to send all the data to the chosen IPs. The data travels through conventional lines to the satellite and finally down from the satellite to the users with the chosen IPs.
  4. This data is dropped by legitimate users’ PCs as garbage, while threat actors pick it from downstream satellite connection.
     

Since satellite downstream covers a wide area, it’s impossible to track where exactly threat actors’ receivers are physically based. To make this game of cat and mouse even harder, the Turla group tends to exploit satellite Internet providers located in Middle Eastern and African countries such as Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the UAE. 

Satellite beams that are used by operators in these countries usually do not cover European and North American territories, making it very hard for most of security researchers to investigate such attacks.

The attackers behind Turla have infected hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. Organizations of interest for Turla group include government institutions and embassies, as well as military, education, research and pharmaceutical companies.

Tags:
hackers Russia APT surveillance
Source:
Kaspersky Daily
2270
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015