Russian hacker group Turla is hijacking satellite links for its command-and-control infrastructure, security firm Kaspersky claims after investigation. In this way, the group makes it virtually impossible for the management server to be traced.
The Turla group monitors downstream connections from satellites to antennas to identify active IP addresses of Internet users who run their connections via satellite. The group uses the addresses found to mask those of a c&c server. Data from botnets, for example, then flows via those IP addresses via the satellite. The hackers can adjust the IP address where the traffic has to go thanks to the use of dynamic dns hosting. The internet user’s system ignores the data, but the Turla group can pick it up from the satellite’s downstream link.
Internet users in remote areas, for example, often use satellite connections for downstream only, due to the relatively low cost. This involves outgoing traffic from the user’s system via normal wired lines, but incoming traffic via satellite. However, these connections are not encrypted and can therefore be intercepted.
Turla mainly targets IP addresses of satellite internet providers in the Middle East and Africa, claims Kaspersky. These satellites often do not serve a European or American area, making the c&c servers more difficult to locate. Criminal groups usually use proxies to hide their management server behind, but persistent investigative authorities can often uncover the location with the hosting company.
Turla would mainly target government organizations, educational institutions and research companies, Kaspersky claims. The security company previously stated that the group uses complex malware tools.