Turla in the sky with satellites: cyber-espionage group hides C&C server locale

Kaspersky Lab claims to have pinpointed how the Turla cyber-espionage group has been able to hide its command and control servers for the past eight years.

Artist's impression of a communications satellite in orbit. (Orbital Sciences)
Artist's impression of a communications satellite in orbit. (Orbital Sciences)

A Russian-speaking APT, Turla, which is suspected of high-level cyber-espionage has been able to hide its command and control (C&C) servers from discovery by exploiting a kink in down-stream only satellite communications technology.

Satellites are mostly known for TV broadcasting and secure communications via satellite phones, but they can also provide access to the internet,  a boon for anyone living in the middle of nowhere who needs a moderately fast connection.

Using relatively old satellite transponders, it is possible to provide a data downlink to service many customers within the satellite's broadcast footprint which can cover entire continents. Outgoing requests to the satellite internet service are carried over conventional lines, wired or GPRS, while the incoming traffic is relayed via the satellite – albeit in an unencrypted format.  

As detailed in a paper presented at Black Hat in 2010, a rogue user can intercept the traffic and read the data from these downlinks.

Interesting if you want to read the email of a farmer in the Congo but not much use to an attacker who is interested in controlling a worldwide botnet except for the fact that the attacker can, by spoofing the upstream signal, subvert this system to hide the location of his C&C server.

The attacker starts by listening to the downstream signal to find active IP addresses of satellite internet users who are online at that moment. Without the user's knowledge, they choose one of those IP addresses as the mask for their C&C server. Infected machines are then instructed to send their data to the chosen IP address.

The data travels by normal means to the satellite internet provider's teleports, up to the satellite and then down to the waiting users.

The innocent user is unlikely to even notice the data coming in because the Turla attackers have had the data sent to ports which are seldom used and often closed by default on most systems. While the innocent user drops those packets, Turla keeps those ports open and sucks up the data and also sends the expected responses back to the satellite internet provider to fool them into thinking the packets have arrived safely.

Turla satellite map from Kaspersky Lab

Kaspersky says that Turla favours satellite providers who cover Africa and the Middle East. The exact reason for this is not known but it makes it difficult for researchers outside these areas to study the attacks.

“They are able to reach the ultimate level of anonymity by exploiting a widely used technology – one-way satellite internet,” said Stefan Tanase, senior security researcher at Kaspersky Lab. “The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometres.”

Turla is an advanced persistent threat (APT) which Kaspersky Lab has studied for several  years. From code snippets, they have deduced that they are Russian speakers. Their targets tend to be government agencies, embassies and research and development departments in high-value companies especially the pharmaceutical industry.

While these are all classic targets for cyber-espionage, Tanase refused to be drawn on which government, if any, could be behind this group.

Hacking satellites has a number of advantages and disadvantages, Tanase noted. The classic problem for attackers is how to hide their IP addresses, because once discovered, this quickly leads to the physical location of key hardware. Hiding behind proxy servers or using TOR only works for so long, so it's a testament to the success of this technique that Turla has managed to remain hidden for more than eight years.

“Using this satellite-based IP abuse technique means is they won't find the servers – ever,” said Tanase.

There is little that can be done to combat the problem, he says, because the satellite transponders were built with an inherent weakness – they don't support encryption – and they are beyond reach of repair now. As Tanase noted, the problem will be solved over time as these satellites are retired and replaced by newer models that support encrypted communications.

The drawback of this technique from the attacker's point of view is the connection speed which is slower than a typical broadband connection and the issue of reliability. Because they are piggybacking on another user's connection, when the user logs off, the connection is terminated.