Satellite communication underpins much of what we take for granted today -- television, radio and Internet connections. If the same techniques are implemented by other groups, this does not bode well for cybersecurity firms attempting to track down and stop criminal groups.
Turla is an advanced persistent threat (APT) group which has been in operation for at least eight years. The hackers have infected hundreds of computer systems in over 45 countries, including Russia, China, Vietnam and the United States.
Governments, embassies, military groups, educational facilities, researchers and the pharmaceutical industry are all targets of Turla, which is believed to originate in Russia due to clues in their code which indicate Russian language and mistakes peppering script when using the English language.
The group infects its victims through zero-day exploits, social engineering and watering hole techniques. If high-profile victims are targeted, an extensive satellite-based communication mechanism is used to wipe away any trace or evidence of the attack.
In areas where satellite-based Internet connections are common -- such as in rural or remote locations -- the most inexpensive method is to employ downstream-only connection. It is this type of widespread communication which sends traffic back to a PC system unencrypted. Turla exploits this weakness in order to hide the location of its Command and Control servers (C&C), which is used to send malicious commands to infected systems.
If a C&C server is tracked, law enforcement and security firms can often unravel the rest of a malicious infrastructure based on the analysis of the heart of the system.
Turla knows this, and to prevent discovery, will "listen" to the downstream to identify active IP addresses of users currently connected. Turla then selects an online IP address to mask the true address of the C&C server without the legitimate user's knowledge.
Finally, machines infected by Turla's malware are instructed to exfiltrate data towards the chosen IPs of regular satellite-based Internet users.
"Once an IP address that is routed through the satellite's downstream link is identified, the attackers start listening for packets coming from the internet to this specific IP. When such a packet is identified, for instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the source using a conventional Internet line," the researchers wrote.
While the victim will also receive a packet, it is unlikely they will notice as Turla instructs victim machines to punt these packets to ports which are generally closed by default. As a result, the packets are simply dropped.
Stefan Tanase, senior security researcher at Kaspersky Lab commented:
"In the past, we've seen at least three different actors using satellite-based Internet links to mask their operations. Of these, the solution developed by the Turla group is the most interesting and unusual.
They are able to reach the ultimate level of anonymity by exploiting a widely used technology - one-way satellite Internet. The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometers.
This makes it almost impossible to track down the attacker. As the use of such methods becomes more popular, it's important for system administrators to deploy the correct defense strategies to mitigate such attacks."
In related news, last week researchers claimed that both FireEye and Kaspersky products contained critical zero-day flaws. Kaspersky rolled out a global fix within 24 hours of being notified, and is currently working with one of the researchers to patch a number of other undisclosed vulnerabilities.