跳到主体内容

Turla Hiding in the Sky: Russian Speaking Cyberespionage Group Exploits Satellites to Reach the Ultimate Level of Anonymity

2015年9月10日

While investigating the infamous Russian-speaking cyberespionage actor Turla, Kaspersky Lab researchers have discovered how it’s evading detection of its activity and physical location. As a solution for anonymity, the group uses security weaknesses in global satellite networks.

While investigating the infamous Russian-speaking cyberespionage actor Turla, Kaspersky Lab researchers have discovered how it’s evading detection of its activity and physical location. As a solution for anonymity, the group uses security weaknesses in global satellite networks.

Turla is a sophisticated cyberespionage group that has been active for more than 8 years. The attackers behind Turla have infected hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. Types of organizations that have been affected include government institutions and embassies, as well as military, education, research and pharmaceutical companies. At the initial stage, the Epic backdoor performs victim profiling. For only the most high profile targets, the attackers then use an extensive satellite-based communication mechanism in the later stages of the attack, which helps them to hide their traces.

Satellite communications are known mostly as a tool for TV broadcasting and secure communications; however, they are also used to provide access to the Internet. Such services are mostly used in remote locations where all other types of Internet access are either unstable and slow, or not available at all. One of the most widespread and inexpensive types of satellite-based Internet connection is a so-called downstream-only connection.

In this case, outgoing requests from a user’s PC are communicated through conventional lines (a wired or GPRS connection), with all the incoming traffic coming from the satellite. This technology allows the user to get a relatively fast download speed. However, it has one big disadvantage: all the downstream traffic comes back to the PC unencrypted. Any rogue user with the right set of inexpensive equipment and software could simply intercept the traffic and get access to all the data that users of these links are downloading.

The Turla group takes advantage of this weakness in a different way: by using it to hide the location of its Command and Control servers (C&C), one of the most important parts of the malicious infrastructure. The C&C server is essentially a “homebase” for the malware deployed on targeted machines. Discovering the location of such a server can lead investigators to uncover details about the actor behind an operation, so here’s how the Turla group is avoiding such risks:

  1. The group first “listens” to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment.
  2. They then choose an online IP address to be used to mask a C&C server, without the legitimate user’s knowledge.
  3. The machines infected by Turla are then instructed to exfiltrate data towards the chosen IPs of regular satellite-based Internet users. The data travels through conventional lines to the satellite Internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs.

Interestingly, the legitimate user whose IP address has been used by the attackers to receive data from an infected machine, will also receive these packets of data but will barely notice them. This is because the Turla attackers instruct infected machines to send data to ports that, in the majority of cases, are closed by default. So the PC of a legitimate user will simply drop these packets, while the Turla C&C server, which keeps those ports open, will receive and process the exfiltrated data.

Another interesting thing with the Turla actor tactics is that they tend to use satellite Internet connection providers located in Middle Eastern and African countries. In their research, Kaspersky Lab experts have spotted the Turla group using IPs of providers located in countries such as Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the UAE.

Satellite beams that are used by operators in these countries usually do not cover European and North American territories, making it very hard for most of security researchers to investigate such attacks.

“In the past, we’ve seen at least three different actors using satellite-based Internet links to mask their operations. Of these, the solution developed by the Turla group is the most interesting and unusual. They are able to reach the ultimate level of anonymity by exploiting a widely used technology – one-way satellite Internet. The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometers,” said Stefan Tanase, Senior Security Researcher at Kaspersky Lab. “This makes it almost impossible to track down the attacker. As the use of such methods becomes more popular, it’s important for system administrators to deploy the correct defense strategies to mitigate such attacks.”

Kaspersky Lab products successfully detect and block the malware used by the Turla threat actor with the following detection names:
Backdoor.Win32.Turla.*
Rootkit.Win32.Turla.*
HEUR:Trojan.Win32.Epiccosplay.gen
HEUR:Trojan.Win32.Generic

More information about the Turla targeted attacks is available to Kaspersky Security Intelligence Services customers. Contact: intelreports@kaspersky.com

Read more about the mechanisms for abusing of satellite-based Internet links used by the Turla cyberespionage group, and find Indicators of Compromise, on Securelist.com

Learn how Kaspersky Lab products can help protect against the Turla operation here: https://business.kaspersky.com/satellite-turla/

Learn more about other Russian-speaking cyber espionage operations here: https://apt.securelist.com/#secondPage/language=5

Learn how sophisticated targeted attacks are investigated: http://www.youtube.com/watch?v=FzPYGRO9LsA

Turla Hiding in the Sky: Russian Speaking Cyberespionage Group Exploits Satellites to Reach the Ultimate Level of Anonymity

While investigating the infamous Russian-speaking cyberespionage actor Turla, Kaspersky Lab researchers have discovered how it’s evading detection of its activity and physical location. As a solution for anonymity, the group uses security weaknesses in global satellite networks.
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻