Kaspersky Lab researchers have discovered how a notorious cyber espionage attacker, Turla, is evading detection of its activities and location - exploiting security weaknesses in global satellite networks.
Turla, also known as Snake or Uroburos - names which come from its top class rootkit - is a sophisticated cyber espionage group that has been active for over eight years, targeting government institutions and embassies, as well as military, education, research and pharmaceutical companies, and infecting hundreds of computers in more than 45 countries including Russia, China, and the US.
Stefan Tanase, senior security researcher at Kaspersky Lab, says in the initial phase of the attack, the group employs backdoor malware dubbed 'Epic' to profile victims. Once high profile targets have been identified, the attackers use an extensive satellite-based communication mechanism in the later stages of the attack, which helps them cover their tracks.
"When you are an APT group, you need to deal with many different problems. One of them, and perhaps the biggest, is the constant seizure and takedown of domains and servers used for command-and-control (C&C)," says Tanase.
He says using satellite-based Internet links helps to mask their operations and solves this 'takedown' problem. The Turla group is particularly interesting, not just because of the complexity of its tools, and mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, but the satellite-based C&C mechanism used in the latter stages of the attack.
He says since 2007, there have been instances of elite APT groups abusing satellite links to manage their operations, their C&C infrastructure in particular. "This approach offers several advantages, for example, making it hard to identify the operators behind the attack, but it also poses some risks to the attackers."
This method obscures the true location and hardware of the C&C server making it hard to physically seize. "Satellite-based Internet receivers can be located anywhere within the area covered by a satellite, and this is generally quite large. The method used by the Turla group to hijack the downstream links is highly anonymous and does not require a valid satellite Internet subscription. On the down side, satellite-based Internet is slow and can be unstable.
Tanase says initially, it wasn't clear whether some of the links observed were commercial Internet connections via satellite, bought by the criminals which would be very expensive - a simple duplex 1Mbit up/down satellite link may cost up to $7 000 per week - or if the attackers had breached the ISPs and performed man-in-the-middle attacks to hijack the network traffic between the victim and the satellite operator and to inject packets along the way.
He says the Turla group regularly used satellite-based Internet links that were up for several months, but never for too long, whether for operational security limitations self-imposed by the group or because of shutdown by other parties due to malicious behaviour.
"The technical method used to implement these Internet circuits relies on hijacking downstream bandwidth from various ISPs and packet-spoofing. This is a method that is technically easy to implement, and provides a much higher degree of anonymity than possibly any other conventional method such as renting a VPS or hacking a legitimate server."
Moreover, Tanasa says the initial investment for implementing this attack methodology is less than $1000, and would cost the same amount annually to maintain. "Considering how easy and cheap this method is, it is surprising that we have not seen more APT groups using it."
He says despite the fact that this method offers an unprecedented level of anonymity, logistical reasons alone, it is still easier to employ bullet-proof hosting, multiple proxy levels or hacked Web sites. "The Turla group has been known to use all of these techniques, making it a very versatile, dynamic and flexible cyber-espionage operation."
According to Tanasa, should this method grow in popularity among APT groups and other cyber criminal groups, the security community will have a serious problem on its hands.
Share