Kaspersky has uncovered evidence of nation-state hackers using satellite communications to hide the location and activities of advanced persistent threat (APT) malware campaigns.
The security firm said that it has uncovered evidence that one of the groups is "Russian-speaking" and uses the infamous Turla malware. It has dubbed this group Turla.
Kaspersky said that using satellites means that the APTs are almost impossible to shut down as the infrastructure is untraceable. This is a major benefit for the hackers as normal command and control (C&C) servers can usually be shut down by law enforcement.
“When you are an APT group, you need to deal with many different problems. One of them, and perhaps the biggest, is the constant seizure and takedown of domains and servers used for C&C,” wrote Stefan Tenase, senior security researcher at Kaspersky, in a blog post.
“These servers are constantly appropriated by law enforcement or shut down by ISPs. Sometimes they can be used to trace the attackers back to their physical locations.”
But the Turla group has been able to remain virtually undetected for almost eight years by using a Digital Video Broadband satellite provider covering the Middle East and Africa.
“Although relatively rare, since 2007 several elite APT groups have been using and abusing satellite links to manage their operations, most often their C&C infrastructure. Turla is one of them,” said Tenase.
He explained that the hack works by latching onto connections between active IP addresses and satellites.
The hackers take advantage of the fact that these connections are not encrypted, so it goes to the legitimate user and the hackers.
The user never notices this as the hackers route the traffic on the legitimate device to an unused port. This would usually send a bounce back, but on slow web connections, like satellites offer, the firewall usually just ignores it and drops the file rather than sending it back.
Meanwhile, the spoofed machine, masquerading as the legitimate IP of the user, receives the information. The image below shows this in operation (stage one is in on the right hand side) as does the video embedded at the bottom of this page.
Tenase explained that the hackers seem to operate for a few months at a time before ceasing operations in a given area, either owing to self-imposed restrictions to avoid detection or because they are shut down.
He added that it is surprising more hackers do not use the satellite technique as it is cheap to set up and maintain and is, as noted, easy to remain undetected for long periods.
"To implement this attack methodology, the initial investment is less than $1,000. Regular maintenance should be less than $1,000 per year," said Tenase.
"Even though this method provides an unmatched level of anonymity, for logistical reasons it is more straightforward to rely on bullet-proof hosting, multiple proxy levels or hacked websites."
However, while the use of satellite communications has many benefits for the hackers, there are some downsides, such as the slow and often unstable speeds that satellite communications usually provide.
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons