satellite hacking

In case you’re a state-sponsored hacker siphoning data from selected computer systems, the very last thing you need is for somebody to find your command-and-control server and shut it down, finishing your capacity to communicate with contaminated machines and steal data.

The Russian-speaking spy gang often known as Turla have discovered a solution to this—hacking the satellite IP addresses of reliable customers to use them to steal from infected systems in a method that hides their command server. Researchers at Kaspersky Lab have found proof that the Turla gang has been utilizing the covert approach since, at the very least 2007.

Turla is a sophisticated cyber-espionage group, believed to be sponsored by the Russian government, that has for more than a decade targeted government agencies, embassies, and militaries in more than forty nations, including but not limited to Kazakhstan, China, Vietnam, and the USA, however with a particular emphasis on countries in the former Eastern Bloc. The Turla gang uses various strategies to infect systems and steal information, but for some of its most high-profile targets, the group seems to use a satellitebased communication method to assist in concealing the location of their command servers, according to Kaspersky researchers.

Ordinarily, hackers will lease a server or hack one to use as a command station, sometimes routing their activity through multiple proxy machines to hide the location of the command server. But these command-and-control servers can still often be traced to their hosting provider and taken down and seized for forensic evidence.“The C&C servers are the central point of failure when it comes to cybercrime or espionage operations, so it’s very important for them to hide the physical location of the servers,” notes Stefan Tanase, senior security researcher with Kaspersky.

Therefore the tactic used by the Russian hackers, which Tanase calls “exquisitebecause it permits the attackers to conceal their command server from researchers and law enforcement agents who would seize them. Satellite web providers cover a wider geographical area than standard ISPs—satellite coverage can extend for more than a thousand miles and span a number of countries and even continents—so tracking the location of a pc using a satellite IP address is usually tougher.

“[This technique] essentially makes it impossible for someone to shut down or see their command servers,” Tanase says. “No matter how many levels of proxies you use to hide your server, investigators who are persistent enough can reach the final IP address. It’s just a matter of time until you get discovered. However by using this satellite link, it’s almost impossible to get discovered.”

How It Works

Satellite internet connectivity is an old technologyfolks have been utilizing it for at least 20 years. It is popular in remote areas where other methods of connectivity aren’t available or where highspeed connections aren’t offered.hackingOne of the most widespread and least costly type of satellite connectivity is downstream-only, which individuals will typically use for faster downloads, since satellite connections tend to provide larger bandwidth than another connection methods. Traffic coming out of the person’s pc will go through a dial-up or other connection, whereas traffic coming in goes via the satellite connection. As a result of this satellite communication isn’t encrypted, hackers can point an antenna at the traffic to intercept the data or, in the case of the Turla hackers, determine the IP address of a authentic satellite users to be able to hijack it.

Such vulnerabilities in the satellite system were made public in 2009 (.pdf) and 2010 (.pdf) in separate presentations at the Black Hat security convention. However the Turla hackers appear to have been utilizing the vulnerabilities to hijack satellite connections since at least 2007. Kaspersky researchers found a sample of their malware that appears to have been compiled in 2007. The malware sample contained two hard coded IP addresses for communicating with a command server—one of them an address that belonged to a German satellite ISP.

To use a hijacked satellite connection for exfiltrating data, the attacker first infects a targeted computer with malware that contains a hardcoded domain name for his command server. But instead of the domain name using a static IP address, the hackers use what’s known as dynamic DNS hosting, which allows them to change the IP address for a domain at will.The attacker then uses an antenna to pick up satellite traffic in his region and collects a list of IP addresses belonging to legitimate satellite users. He can then configure the domain name for his command server to use one of the satellite IP address. The malware on infected computers will then contact the legitimate satellite internet user’s IP address to initiate a TCPIP connection, but that user’s machine will drop the connection since the communication isn’t intended for it. The same request, however, will also go to the attackers’ command-and-control computer, which is using the same IP address, which will reply to the infected machine and establish a communication channel to receive data siphoned from the infected machine. Any data that gets siphoned from the infected machine will also go to the innocent user’s system, but that system will simply drop it.Tanase says the legitimate satellite user won’t notice that his satellite connection has been hijacked unless he checks his log files and notices that packets are being dropped by his satellite modem. “He will see some requests that he didn’t ask for,” Tanase says. “But it will just look like internet noise,” rather than suspicious traffic.
Map of Turla Targets
Source: Kaspersky

The method isn’t reliable for long-term exfiltration of data, since these satellite internet connections are one-way and can be very unreliable. The attacker will also lose the satellite connection once the innocent user whose IP address he has hijacked goes offline. “This is why we believe they only use it on the most high-profile targets,” Tanase says, “when anonymity is essential. We don’t see them using it all the time.”

The researchers saw the Turla hackers communicating through satellite connections around the world, but most of their activity concentrated in two specific regions. “They seem to have a preference for using IP ranges assigned to providers in the Middle East and African regions–the Congo, Nigeria, Lebanon, Somalia, and the United Arab Emirates,” says Tanase.

All the hijacking requires is a satellite dish, some cable, and a satellite modem, which costs around a thousand dollars.

It’s not the first time the Kaspersky researchers have seen teams using satellite connections for command servers. Tanase says the Hacking Team, the Italian firm that sells surveillance tools to law enforcement and intelligence agencies, also used satellite IP addresses for the command-and-control servers that communicate with its software. However in these instances, the internet connections appear to have been purchased by Hacking Team’s law enforcement subscribers. The Turla group has used so many different satellite IP address that Tanase says it’s clear they’re hijacking them from legitimate customers.Tanase says the technique, if adopted by criminal gangs sooner or later, will make it tougher for law enforcement agencies and researchers to track command servers and shut them down.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here