A cyberespionage group of Russian origin that targets governmental, diplomatic, military, educational and research organizations is hijacking satellite-based Internet connections in order to hide their servers from security researchers and law enforcement agencies.
The group is known as Epic Turla, Snake or Uroburos and even though some of its operations were first uncovered in February 2014, it has been active for at least eight years.
The group is known for using highly sophisticated malware for both Windows and Linux operating systems, as well as multistage proxies for bypassing network segmentation and isolation mechanisms.
According to a new report released Wednesday by Kaspersky Lab, the Turla group also has another trick up its sleeves: the hijacking of one-way Internet connections over the DVB-S (Digital Video Broadcasting Satellite) standard.
DVB-S Internet links are still used in some regions of the world where high-speed Internet infrastructure is absent or not well developed.
When using such a connection, the computer requests Internet content over a conventional Internet link, but receives the data from a satellite through a parabolic antenna. With such connections the uplink speed is much slower compared to the downlink one.
The problem is that when a satellite transmits data packets in the wide DVB-S frequency range, those packets are unencrypted and are broadcast to the entire region of the world covered by that satellite. This allows someone with a powerful antenna to intercept and read packets intended for a receiver located far away, for example in a different country.
The Turla attackers are exploiting this weakness in order to hide the real location of their command-and-control servers, researchers from Kaspersky Lab said in their report.
First, the attackers choose the IP (Internet Protocol) address of a person who uses a satellite-based Internet connection and then they configure the domain names for their command-and-control servers to point to that address.
The infected computers will then attempt to contact the unsuspecting user’s IP address in order to send stolen data or receive instructions. The traffic will be sent to the user’s ISP and will be broadcast through a satellite at which point the attackers, who are sniffing the satellite connections in the region, will intercept it.
They will then send replies to the infected machines over a regular Internet connection, but make them appear as if they were sent by the satellite user’s IP address. In order to do this, they need to target an ISP that doesn’t protect against IP address spoofing.
The technique is not new and has been presented at security conferences in the past. However, there is evidence that suggests the Turla group has been using it since 2007.
The group prefers to abuse DVB-S Internet providers from countries in the Middle East and Africa. This makes the hijacking hard to detect by security researchers based in the U.S. or Europe since the targeted satellite beams cannot be monitored from those regions.
The method is technically easy to implement and provides better anonymity to attackers than renting a virtual private server from a hosting company or using a hacked server for command and control, the Kaspersky researchers said.
Other APT (advanced persistent threat) groups have been seen using satellite-based Internet links in the past, including Italian surveillance software maker Hacking Team and two cyberespionage groups known as Xumuxu and Rocket Kitten.
“If this method becomes widespread between APT groups or worse, cyber-criminal groups, this will pose a serious problem for the IT security and counter-intelligence communities,” the Kaspersky researchers said.