Russian hackers Turla hijacking satellites to hide servers

10 Sep 2015

A team of Russian hackers known as Turla has been found to have been hijacking legitimate satellite internet connections to mask the location of its command-and-control (C&C) servers.

Turla – also known in some circles as Snake and Uroburos – is one of Russia’s largest cyber-espionage groups and, based on the latest evidence, its attempts to hide from the authorities have gone into orbit.

According to Kaspersky Lab, Turla are exploiting people using satellite internet connections in areas with poor broadband access as the information it sends and receives from satellites is easily monitored by someone with the right software and intent.

By identifying the satellite internet connection user’s IP address, Turla has been able to hijack that person’s connection and hide its malicious code within packets sent to and from the satellite.

In doing so, Turla’s location is practically untraceable given that it only shows the IP address of the person it is exploiting, making it far safer, for them at least, than traditional virtual private networks (VPNs).

Explaining it further, Kaspersky Lab’s senior security researcher, Stefan Tanase, said: “[Satellite internet] allows the user to get a relatively fast download speed; however, it has one big disadvantage: all the downstream traffic comes back to the PC unencrypted.

“Any rogue user with the right set of inexpensive equipment and software could simply intercept the traffic and get access to all the data that users of these links are downloading.”

Once it is infected on one person’s computer, other users on the same network are then infected, further masking Turla’s C&C servers.

From Kaspersky Lab’s analysis, the IP addresses being used by Turla appear to be based across the Middle East and Africa where the targeted satellites have access to, leaving Europe and North America out of range.

Kaspersky Labs Africa

The hotspots of where Turla’s fake IP addresses appear. Image via Kaspersky Labs

The biggest worry, the security researchers said, is that given the cost of running such a satellite hacking service is as little as U$1,000 per year, it is surprising that more malicious groups are not using the ‘epic backdoor’ method.

“Considering how easy and cheap this method is, it is surprising that we have not seen more APT groups using it,” the team said.

“Even though this method provides an unmatched level of anonymity for logistical reasons it is more straightforward to rely on bulletproof hosting, multiple proxy levels or hacked websites.”

Satellite dish image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com