A group of Russian hackers, most notably the Turla APT (Advanced Persistent Threat) is hijacking commercial satellites to hide command-and-control operations, a security firm said today.

Turla APT group, which was named after its notorious software Epic Turla, is abusing satellite-based Internet connections in order to:
  • Siphon sensitive data from government, military, diplomatic, research and educational organisations in the United States and Europe.
  • Hide their command-and-control servers from law enforcement agencies.
Despite some of its operations were uncovered last year, Turla APT group has been active for close to a decade, while remaining invisible by cleverly hiding from law enforcement agencies and security firms.

Now, security researchers from Moscow-based cyber security firm Kaspersky Lab claim to have identified the way Turla APT group succeeded in hiding itself.

The researchers said the group disguised itself by using commercial satellite Internet connections to hide their command-and-control servers.

Turla is a sophisticated Russian cyber-espionage group, believed to be sponsored by the Russian government, that has targeted a number of government, military, embassy, research, and pharmaceutical organisations in more than 45 countries, including China, Vietnam, and the United States.

Hijacking Satellite to Hide Command-and-Control Servers

The group is known for exploiting highly critical vulnerabilities in both Windows as well as Linux operating systems, but…

…the satellite-based communication technique used by the group to help hide the location of their servers appears to be more sophisticated than previous ones, according to Kaspersky researchers.
The Turla hackers exploit the fact that older satellites that orbit around the Earth:
  • Don't come with support for encrypted connections
  • Relies on unsuspecting users of the satellite Internet service providers across the world

The group take advantage of this particular loophole in the design of these satellites, which can be easily exploited to freely intercept traffic between the satellite and a specific user.

Here's How the Scheme Works

The technique is quite simple because you have a lot of vulnerable satellites orbiting around the Earth and sending unencrypted traffic to a desired geographical location.

The Turla APT group only needs:
  • A rented house in an area where the vulnerable satellites provide coverage
  • A satellite dish to intercept the traffic
  • A landline Internet connection

Turla hackers sniff through the traffic that comes down from the satellite and select an IP address of a random user online at that moment.

Once selected, the hackers then try to infect the target computer with malware in order to configure the domain names for hacker's command-and-control (C&C) servers to point to that IP address.

Once Turla hackers gain the control of Satellite's user system, the hackers instruct the infected botnet computers to send the stolen data to the command-and-control (C&C) server (compromised satellite user).

The sneaky part here is: The Turla hackers are effectively hiding their location from investigators as they can be anywhere in the range of the satellite beam, i.e. thousands of miles.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.