During researchs about the notorious Russian-speaking digital espionage agency Turla, Kaspersky Lab researchers discovered how it avoids detection of its activities and physicsof its location.
To ensure its anonymity, this particular group uses the vulnerabilities better safetys in global satellite networks.
Turla is an advanced digital espionage team active over 8 years. Attackers behind the Turla team have "polluted" hundreds of computers in more than 45 countries, including Kazakhstan, Russia, China, Vietnam and the United States.
Institutions affected include government bodies and embassies, military organizations, academic and research institutions, and pharmaceutical companies. At the initial stage, the backdoor Epic develops the profile of the victims. Then - and only for higher-level targets - the attackers use an extensive satellite-based communication mechanism in later stages of the attack to help them catch up with their traces.
Satellite communications are mainly known as a tool for broadcasting television signals and for secure communications. However, they are also used to provide Internet access. These services are mainly used in remote locations, where all other types of Internet access are either unstable or late or are not available to everyone. One of the most common and cheap types of satellite Internet connections is the so-called one-way satellite connection, which only allows downloading.
In this case, outgoing requests from a user's computer are shared over conventional lines (wired or GPRS connection), with all incoming traffic coming from the satellite.
This technology allows the user to have a relatively fast download speed. However, it has a big disadvantage: the set of downstream traffic returns to the computer without encryption. Any unscrupulous user who is in possession of appropriate and relatively inexpensive equipment and software could simply monitor the traffic and gain access to all data downloaded by users of these links.
The Turla team exploits this vulnerability in a different way, using it to hide the location of its Command & Control (C&C) servers, which are one of the most important parts of the malicious infrastructure.
The C&C server is essentially the "headquarters" of malware running on targeted machines. Finding out the location of such a server can lead researchers to discover details about the operator behind a business.
Below is the way the Turla team avoids these risks:
- The team first "listens" to downloading the data from the satellite in order to find active IP addresses of Internet users who are online at the moment.
- It then chooses an IP address to use to mask a C&C server, without the legitimate user knowing about it.
- Machines that have been "infected" by the Turla operator are then instructed to transfer the data to the selected IP addresses of the Satellite Internet users. The data travels through conventional lines in the Satellite Internet provider's tele-services, reaching up to the satellite and, finally, by the satellite they reach users with the selected IP addresses.
Interestingly, the legitimate user whose IP address has been used by attackers to obtain data from an "infected" machine will also receive these data packets, but will hardly notice them. This is because Turla attackers assign "infected" machines to send data to ports that, in most cases, are closed by default. Thus, the legitimate user's computer will simply reject these packages, while Turla's C&C server, which keeps these ports open, will receive and process the "stolen" data.
Still an interesting feature of Turla's tactics is that it tends to use Middle Eastern and African-based satellite Internet connection providers. In their research, Kaspersky Lab specialists have identified the Turla team using IP addresses of providers located in countries like Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the United Arab Emirates.
Satellite beams used by providers in these countries usually do not cover areas in Europe and North America, which makes it very difficult to investigate such attacks for most security researchers.
"In the past, we have met at least three different operators using satellite links to cover their activities. Of these, the solution developed by the Turla team is the most interesting and unusual. It is able to reach the absolute level of anonymity, utilizing a widely used technology, the one-way satellite Internet. Attackers can be anywhere within the range of their chosen satellite, that is, within an area that can cover thousands of square kilometers, said Stefan Tanase, Senior Security Researcher of Kaspersky Lab. And he went on to comment: "This makes it almost impossible to locate the intruder. Since the use of these methods is becoming more and more popular, it is important for system operators to develop sound defense strategies to mitigate attacks. "
Kaspersky Lab products detect and block the malicious software used by the threatening agent Turla under the code names: Backdoor.Win32.Turla *, Rootkit.Win32.Turla *, HEUR: Trojan.Win32.Epiccosplay.gen and HEUR: Trojan .Win32.Generic.
For more information on the abuse mechanisms of the satellite links used by the Turla espionage group, and to see the Compromise Indicators you can visit the site Securelist.com.
Watch videos and learn more about how Kaspersky Lab products can help protect against Turla's activities in a special by clicking here the company's.
Also, more information on the activities of other Russian-speaking digital espionage teams is available in another special website of Kaspersky Lab.
For more information on exploring advanced targeted attacks, you can watch one short video of Kaspersky Lab.
