Kaspersky lab researchers have revealed that a Russia based group of cyber attackers known as Turla, has exploited a weakness in one-way satellite communication and is using it to hide the location of its Command and Control servers and escape identification by investigators.
The notorious group has been active for more than 8 years having infected hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. The main targets of Turla range from government institutions and embassies to military, education, research and pharmaceutical companies.
Explaining the method used by Turla, the lab report points towards the loophole in one of the most widespread and inexpensive types of satellite-based Internet connection known as downstream-only connection. In such connections, a user communicates requests using conventional lines such as a wired or GPRS connection but receives the incoming traffic by means of a satellite.
This traffic, however is totally unencrypted and could be intercepted by anybody with simple and inexpensive resources who can get access to the data and links being downloaded by the user.
This weakness is utilized by Turla to hide its Command and Control(C&C) servers. They first identify the online users who are downloading data from the satellite and choose one of the online IP addresses which could mask a C&C server without the user’s knowledge.
Now, the machines infected by Turla are then instructed to send data towards these chosen IPs of regular satellite-based Internet users. The data travels through conventional lines to the satellite Internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs. Interestingly, the ports of a regular PC user which receive this data are closed by default so they drop those packets of data which are then received and processed by open ports of Turla C&c server.
In addition to this clever gambit, Turla generally use satellite Internet connection providers located in Middle Eastern and African countries such as Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the UAE. These providers use satellite beams which do not cover European and North American territories, making it very hard for most of security researchers to investigate these attacks.
Stefan Tanase, Senior Security Researcher at Kaspersky Lab said,
They are able to reach the ultimate level of anonymity by exploiting a widely used technology – one-way satellite Internet. The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometers. This makes it almost impossible to track down the attacker.
Kaspersky Lab products claim to successfully detect and block the malware used by the Turla threat actor with the following detection names: Backdoor.Win32.Turla, Rootkit.Win32.Turla.* ,HEUR:Trojan.Win32., Epiccosplay.gen and HEUR:Trojan.Win32.Generic