If you're a state-sponsored hacker siphoning data from targeted computers, the last thing you want is for someone to locate your command-and-control server and shut it down, halting your ability to communicate with infected machines and steal data.
So the Russian-speaking spy gang known as Turla has found a solution to this—hijacking the satellite IP addresses of legitimate users to use them to steal data from other infected machines in a way that hides their command server. Researchers at Kaspersky Lab have found evidence that the Turla gang has been using the covert technique since at least 2007.
Turla is a sophisticated cyber-espionage group, believed to be sponsored by the Russian government, that has for more than a decade targeted government agencies, embassies, and militaries in more than 40 countries, including Kazakhstan, China, Vietnam, and the U.S., but with a particular emphasis on countries in the former Eastern Bloc. The Turla gang uses a number of techniques to infect systems and steal data, but for some of its most high-profile targets, the group appears to use a satellite-based communication technique to help hide the location of their command servers, according to Kaspersky researchers.
Ordinarily, hackers will lease a server or hack one to use as a command station, sometimes routing their activity through multiple proxy machines to hide the location of the command server. But these command-and-control servers can still often be traced to their hosting provider and taken down and seized for forensic evidence.
“The C&C servers are the central point of failure when it comes to cybercrime or espionage operations, so it’s very important for them to hide the physical location of the servers,” notes Stefan Tanase, senior security researcher with Kaspersky.
Hence the method used by the Turla hackers, which Tanase calls “exquisite” because it allows the attackers to hide their command server from researchers and law enforcement agencies who would seize them. Satellite internet providers cover a wider geographical area than standard internet service providers—satellite coverage can extend for more than 1,000 miles and span multiple countries and even continents—so tracking the location of a computer using a satellite IP address can be more difficult.
“[This technique] essentially makes it impossible for someone to shut down or see their command servers,” Tanase says. “No matter how many levels of proxies you use to hide your server, investigators who are persistent enough can reach the final IP address. It’s just a matter of time until you get discovered. But by using this satellite link, it’s almost impossible to get discovered.”
Satellite internet connectivity is an old-school technology—people have been using it for at least two decades. It’s popular in remote regions where other methods of connectivity are not available or where high-speed connections are not offered.
One of the most widespread and least expensive types of satellite connectivity is downstream-only, which people will sometimes use for faster downloads, since satellite connections tend to provide larger bandwidth than some other connection methods. Traffic coming out of the user’s computer will go through a dial-up or other connection, while traffic coming in goes through the satellite connection. Because this satellite communication isn’t encrypted, hackers can point an antenna at the traffic to intercept the data or, in the case of the Turla hackers, determine the IP address of a legitimate satellite user in order to hijack it.
Such vulnerabilities in the satellite system were made public in 2009 and 2010 in separate presentations at the Black Hat security conference. But the Turla hackers appear to have been using the vulnerabilities to hijack satellite connections since at least 2007. Kaspersky researchers found a sample of their malware that appears to have been compiled that year. The malware sample contained two hardcoded IP addresses for communicating with a command server—one of them an address that belonged to a German satellite internet provider.
To use a hijacked satellite connection for exfiltrating data, the attacker first infects a targeted computer with malware that contains a hardcoded domain name for his command server. But instead of the domain name using a static IP address, the hackers use what’s known as dynamic DNS hosting, which allows them to change the IP address for a domain at will.
The attacker then uses an antenna to pick up satellite traffic in his region and collects a list of IP addresses belonging to legitimate satellite users. He can then configure the domain name for his command server to use one of the satellite IP address. The malware on infected computers will then contact the legitimate satellite internet user’s IP address to initiate a TCPIP connection, but that user’s machine will drop the connection since the communication isn’t intended for it. The same request, however, will also go to the attackers’ command-and-control computer, which is using the same IP address, which will reply to the infected machine and establish a communication channel to receive data siphoned from the infected machine. Any data that gets siphoned from the infected machine will also go to the innocent user’s system, but that system will simply drop it.
Tanase says the legitimate satellite user won’t notice that his satellite connection has been hijacked unless he checks his log files and notices that packets are being dropped by his satellite modem. “He will see some requests that he didn’t ask for,” Tanase says. “But it will just look like internet noise,” rather than suspicious traffic.
The method isn’t reliable for long-term exfiltration of data, since these satellite internet connections are one-way and can be very unreliable. The attacker will also lose the satellite connection once the innocent user whose IP address he has hijacked goes offline. “This is why we believe they only use it on the most high-profile targets,” Tanase says, “when anonymity is essential. We don’t see them using it all the time.”
The researchers saw the Turla hackers communicating through satellite connections around the world, but most of their activity concentrated in two specific regions. “They seem to have a preference for using IP ranges assigned to providers in the Middle East and African regions—the Congo, Nigeria, Lebanon, Somalia, and the United Arab Emirates,” says Tanase.
The hijacking isn’t that expensive to accomplish, either. All it requires is a satellite dish, some cable, and a satellite modem, all of which cost about $1,000.
It’s not the first time the Kaspersky researchers have seen groups using satellite connections for command servers. Tanase says Hacking Team, the Italy-based firm that sells surveillance tools to law enforcement and intelligence agencies, also has used satellite IP addresses for the command-and-control servers that communicate with its software. But in these cases, the internet connections appear to have been purchased by Hacking Team’s law enforcement subscribers. The Turla group has used so many different satellite IP address that Tanase says it’s clear they’re hijacking them from legitimate users.
Tanase says the technique, if adopted by criminal gangs in the future, will make it harder for law enforcement agencies and researchers to track command servers and shut them down.
Also in Wired: