Russian Hacking Group Uses Satellites to Hide C&C Servers

[Karamjit]

Cyber-espionage taken to another level, physically

For the past 8 years, the Turla APT (Advanced Persistent Threat) group managed to remain invisible by cleverly hiding from law enforcement and cyber-security firms. Now, Kaspersky Lab claims to have identified the way this group succeeded in disguising itself by using satellite Internet connections to hide their C&C (command-and-control) servers.

Turla, a cyber-espionage group which many suspect is made up by Russian-speaking hackers, has been around since 2007, but only last year, Kaspersky security researchers have managed to shed light on their operations.

After another year of sifting through data collected from their clients, Kaspersky's Stefan Tanase says that by using flaws in the design of older communications satellites, attackers are able to intercept Internet traffic and use it to hide the location of their C&C servers.

An intro into satellite communications

Satellites have been for many decades used in relaying communications across the globe, at faster speeds than using classic underwater cables. They can relay TV, radio, mobile data, and above all Internet traffic.

Most of the satellites that orbit around the Earth are decades old and do not come with support for encrypted connections, a measure which has become necessary only in recent years.

This particular loophole in the design of these satellites is now being exploited by the Turla group, which uses simple satellites dishes to freely intercept traffic coming down from the satellite to a specific user.

Attackers hijack unencrypted satellite communications

How this all works is quite simple. You have a lot of vulnerable satellites orbiting the Earth sending unencrypted traffic to a desired geographical area.

The Turla hackers buy a satellite dish to intercept that traffic, rent a house in the area where those vulnerable satellites provide coverage, and also get a classic landline Internet connection.

As traffic comes down from the satellite, Turla hackers sniff through its content and see what users are online at that moment, randomly selecting an IP.

This IP is broadcasted to their botnet's infected clients via the landline, clients which then send their stolen data via the satellite connection to the IP of an unsuspecting satellite Internet subscriber.

This is where the sneaky part comes in. Since traffic is unencrypted, Turla hackers can easily perform a MitM (man-in-the-middle) attack and intercept the traffic meant for that IP.

Because the data sent from the infected users via the satellite connection is specifically altered to land on custom ports, usually closed on the target IP, users who had their satellite Internet connection intercepted, never know everything happened, because their PC automatically dropped all network packets that landed on that closed port.

100% undetectable botnet C&C servers

Meanwhile, the hackers have the data sent from their clients, all without giving away their real IP to do so.

Since satellites can cover huge areas of a continent, hackers can also easily hide their geographical location, putting hundreds of kilometers between them and the user for which they've intercepted the traffic.

This method allows them full-proof 100% anonymity, something that Tor or classic proxy servers could never truly provide.

Africa is a favorite target for hiding Turla C&C servers

As Kaspersky points out, analyzing the group's actions is also very problematic for security researchers, since the group targets satellites that provide coverage only for regions of Africa and the Middle East.

By choosing satellites in these regions, cyber-security researchers will have to face many difficulties in gaining access to data to analyze.

Additionally, satellites in this region are also of an older model and make, which ensures a broader pool to choose from, compared to regions of Europe and North American where more modern satellites are used, with faster Internet connections, but with support for encrypted communications.

From

[humble3d]

Source confirmation...

Russian Spy Gang Hijacks Satellite Links to Steal Data

IF YOU’RE A state-sponsored hacker siphoning data from targeted computers, the last thing you want is for someone to locate your command-and-control server and shut it down, halting your ability to communicate with infected machines and steal data.

So the Russian-speaking spy gang known as Turla have found a solution to this—hijacking the satellite IP addresses of legitimate users to use them to steal data from other infected machines in a way that hides their command server. Researchers at Kaspersky Lab have found evidence that the Turla gang has been using the covert technique since at least 2007.

Turla is a sophisticated cyber-espionage group, believed to be sponsored by the Russian government, that has for more than a decade targeted government agencies, embassies, and militaries in more than 40 countries, including Kazakhstan, China, Vietnam, and the US, but with a particular emphasis on countries in the former Eastern Bloc. The Turla gang uses a number of techniques to infect systems and steal data, but for some of its most high-profile targets, the group appears to use a satellite-based communication technique to help hide the location of their command servers, according to Kaspersky researchers.

Ordinarily, hackers will lease a server or hack one to use as a command station, sometimes routing their activity through multiple proxy machines to hide the location of the command server. But these command-and-control servers can still often be traced to their hosting provider and taken down and seized for forensic evidence.

“The C&C servers are the central point of failure when it comes to cybercrime or espionage operations, so it’s very important for them to hide the physical location of the servers,” notes Stefan Tanase, senior security researcher with Kaspersky.

Hence the method used by the Turla hackers, which Tanase calls “exquisite” because it allows the attackers to hide their command server from researchers and law enforcement agencies who would seize them. Satellite internet providers cover a wider geographical area than standard internet service providers—satellite coverage can extend for more than 1,000 miles and span multiple countries and even continents—so tracking the location of a computer using a satellite IP address can be more difficult.

“[This technique] essentially makes it impossible for someone to shut down or see their command servers,” Tanase says. “No matter how many levels of proxies you use to hide your server, investigators who are persistent enough can reach the final IP address. It’s just a matter of time until you get discovered. But by using this satellite link, it’s almost impossible to get discovered.”

How It Works

Satellite internet connectivity is an old-school technology—people have been using it for at least two decades. It’s popular in remote regions where other methods of connectivity are not available or where high-speed connections are not offered.

All the hijacking requires is a satellite dish, some cable, and a satellite modem, which costs about $1,000.

One of the most widespread and least expensive types of satellite connectivity is downstream-only, which people will sometimes use for faster downloads, since satellite connections tend to provide larger bandwidth than some other connection methods. Traffic coming out of the user’s computer will go through a dial-up or other connection, while traffic coming in goes through the satellite connection. Because this satellite communication isn’t encrypted, hackers can point an antenna at the traffic to intercept the data or, in the case of the Turla hackers, determine the IP address of a legitimate satellite user in order to hijack it.

Such vulnerabilities in the satellite system were made public in 2009 (.pdf) and 2010 (.pdf) in separate presentations at the Black Hat security conference. But the Turla hackers appear to have been using the vulnerabilities to hijack satellite connections since at least 2007. Kaspersky researchers found a sample of their malware that appears to have been compiled that year. The malware sample contained two hardcoded IP addresses for communicating with a command server—one of them an address that belonged to a German satellite internet provider.

To use a hijacked satellite connection for exfiltrating data, the attacker first infects a targeted computer with malware that contains a hardcoded domain name for his command server. But instead of the domain name using a static IP address, the hackers use what’s known as dynamic DNS hosting, which allows them to change the IP address for a domain at will.

The attacker then uses an antenna to pick up satellite traffic in his region and collects a list of IP addresses belonging to legitimate satellite users. He can then configure the domain name for his command server to use one of the satellite IP address. The malware on infected computers will then contact the legitimate satellite internet user’s IP address to initiate a TCPIP connection, but that user’s machine will drop the connection since the communication isn’t intended for it. The same request, however, will also go to the attackers’ command-and-control computer, which is using the same IP address, which will reply to the infected machine and establish a communication channel to receive data siphoned from the infected machine. Any data that gets siphoned from the infected machine will also go to the innocent user’s system, but that system will simply drop it.

Tanase says the legitimate satellite user won’t notice that his satellite connection has been hijacked unless he checks his log files and notices that packets are being dropped by his satellite modem. “He will see some requests that he didn’t ask for,” Tanase says. “But it will just look like internet noise,” rather than suspicious traffic.

The method isn’t reliable for long-term exfiltration of data, since these satellite internet connections are one-way and can be very unreliable. The attacker will also lose the satellite connection once the innocent user whose IP address he has hijacked goes offline. “This is why we believe they only use it on the most high-profile targets,” Tanase says, “when anonymity is essential. We don’t see them using it all the time.”

The researchers saw the Turla hackers communicating through satellite connections around the world, but most of their activity concentrated in two specific regions. “They seem to have a preference for using IP ranges assigned to providers in the Middle East and African regions–the Congo, Nigeria, Lebanon, Somalia, and the United Arab Emirates,” says Tanase.

The hijacking isn’t that expensive to accomplish, either. All it requires is a satellite dish, some cable, and a satellite modem, all of which cost about $1,000.

It’s not the first time the Kaspersky researchers have seen groups using satellite connections for command servers. Tanase says Hacking Team, the Italy-based firm that sells surveillance tools to law enforcement and intelligence agencies, also has used satellite IP addresses for the command-and-control servers that communicate with its software. But in these cases, the internet connections appear to have been purchased by Hacking Team’s law enforcement subscribers. The Turla group has used so many different satellite IP address that Tanase says it’s clear they’re hijacking them from legitimate users.

Tanase says the technique, if adopted by criminal gangs in the future, will make it harder for law enforcement agencies and researchers to track command servers and shut them down.

http://www.wired.com/2015/09/turla-russian-espionage-gang-hijacks-satellite-connections-to-steal-data/