Russian Hackers Piggyback Satellites To Steal Data

Tom Jowitt,
ESA satellite

Kaspersky may have discovered Russian government spies using satellites

Russian-speaking hackers are apparently using satellites to intercept military and diplomatic data, and are using very sophisticated techniques to cover their tracks.

This is the assertion from Moscow-based cybersecurity firm Kaspersky Lab, which has labelled the Russian-speaking hacker group Turla.

Satellite Hiding

Turla is a sophisticated cyberespionage group that has been active for more than 8 years,” Kaspersky said. “Types of organisations that have been affected include government institutions and embassies, as well as military, education, research and pharmaceutical companies.”

But now Kaspersky has discovered that Turla is “hiding in the sky”, as the hacker group is using security weaknesses in global satellite networks to evade detection of its activity as well as mask its physical location.

MICROSOFTKaspersky explained how satellites, besides providing TV services and secure communications, are used for Internet access as well, often in remote locations. But this is where Turla is able to exploit a weaknesses with Internet via satellite.

“One of the most widespread and inexpensive types of satellite-based Internet connection is a so-called downstream-only connection,” said Kaspersky. “In this case, outgoing requests from a user’s PC are communicated through conventional lines (a wired or GPRS connection), with all the incoming traffic coming from the satellite. This technology allows the user to get a relatively fast download speed. However, it has one big disadvantage: all the downstream traffic comes back to the PC unencrypted.”

This allows a rogue user, with the right inexpensive gear, to simply intercept the traffic and get access to all the data that users of these links are downloading. What Turla does is exploit this weakness and use it to hide the location of its Command and Control servers (C&C).

IP Hijacking

According to Kaspersky, the hackers first “listens” to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment. They then choose an online IP address to be used to mask a C&C server, without the legitimate user’s knowledge.

“The infected machines are then instructed to exfiltrate data towards the chosen IPs of regular satellite-based Internet users,” said Kaspersky. “The data travels through conventional lines to the satellite Internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs.”

Turla tends to use satellite Internet connection providers located in Middle Eastern and African countries, after Kaspersky experts spotted it using IPs of providers located in countries such as Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the UAE.

“In the past, we’ve seen at least three different actors using satellite-based Internet links to mask their operations,” said Stefan Tanase, Senior Security Researcher at Kaspersky Lab. “Of these, the solution developed by the Turla group is the most interesting and unusual. They are able to reach the ultimate level of anonymity by exploiting a widely used technology – one-way satellite Internet.”

“The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometers,” said Tanase. “This makes it almost impossible to track down the attacker. As the use of such methods becomes more popular, it’s important for system administrators to deploy the correct defense strategies to mitigate such attacks.”

The sophisticated techniques used by Turla may prompt questions as to whether Moscow-based Kaspersky has unwittingly uncovered the attack vectors used by state-sponsored hackers.

Are you a security pro? Try our quiz!