{"id":9771,"date":"2015-09-09T09:00:47","date_gmt":"2015-09-09T13:00:47","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=9771"},"modified":"2023-07-04T07:34:41","modified_gmt":"2023-07-04T11:34:41","slug":"turla-apt-exploiting-satellites","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/turla-apt-exploiting-satellites\/9771\/","title":{"rendered":"Russian-speaking cyber spies exploit satellites"},"content":{"rendered":"<p>Turla APT group, also known as\u00a0Snake and Uroboros, is one the most advanced threat actors in the world. This cyber espionage group has been active for more than 8 years, but little was known about its operations until last year, when we published our <a href=\"https:\/\/securelist.com\/analysis\/publications\/65545\/the-epic-turla-operation\/\" target=\"_blank\" rel=\"noopener\">Epic Turla research<\/a>.<\/p>\n<p>Specifically, this research included examples of language artifacts, showing that part of the Turla are Russian-speakers. These people employ codepage 1251, which is commonly used to render Cyrillic characters, and words like \u2018Zagruzchik,\u2019 which means, \u201cboot loader\u201d in Russian.<\/p>\n<p>What makes the Turla group especially dangerous and difficult to catch is not just the complexity of its tools, but the <a href=\"https:\/\/securelist.com\/blog\/research\/72081\/satellite-turla-apt-command-and-control-in-the-sky\/\" target=\"_blank\" rel=\"noopener\">exquisite satellite-based command-and-control (C&amp;C) mechanism<\/a> implemented in the final stages of the attack.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">RT <a href=\"https:\/\/twitter.com\/rogeragrimes?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@rogeragrimes<\/a>: Kaspersky analysis of Epic Turla <a href=\"http:\/\/t.co\/jGQAVZylzu\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/jGQAVZylzu<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/499150872170225664?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 12, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Command-and-control servers are the base of advanced cyber-attacks. At the same time, it\u2019s the weakest link in malicious infrastructure, and is always targeted by digital investigators and law enforcement agencies.<\/p>\n<p>There are two good reasons for that. Firstly, these servers are used to control all of the operations. If you could shut them down, you could disturb or even disrupt the cyber campaign. Secondly, C&amp;C servers can be used to trace attackers back to their physical locations.<\/p>\n<p>That\u2019s why threat actors are always trying to hide C&amp;C as deep as possible. The Turla group has found quite effective way to do it: they conceal servers\u2019 IPs in the sky.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Epic Turla:massive <a href=\"https:\/\/twitter.com\/hashtag\/cyberespionage?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#cyberespionage<\/a> operation penetrates EU\/Mideast spy agencies via <a href=\"https:\/\/twitter.com\/kaspersky?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@kaspersky<\/a> <a href=\"http:\/\/t.co\/vmWvteVmq1\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/vmWvteVmq1<\/a> <a href=\"http:\/\/t.co\/1wuNL7SoFn\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/1wuNL7SoFn<\/a><\/p>\n<p>\u2014 Adolfo Hern\u00e1ndez (@Adolfo_Hdez) <a href=\"https:\/\/twitter.com\/Adolfo_Hdez\/status\/497634453666406400?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 8, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>One of the most widespread and inexpensive types of satellite-based Internet connection is a downstream-only connection. In this case, outgoing data from a user\u2019s PC is carried via conventional lines \u2014 a wired or cellular, \u2014 while all the incoming traffic comes from the satellite.<\/p>\n<p>However, this technology has one peculiarity: all the downstream traffic comes from the satellite to the PC unencrypted. Simply put, anyone can intercept the traffic. The Turla group uses this flaw in a new and quite interesting way: to hide their own C&amp;C traffic.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Russian-speaking cyber spies exploit satellites #Turla<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FZM72&amp;text=Russian-speaking+cyber+spies+exploit+satellites+%23Turla\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>What exactly they do is the following:<\/p>\n<ol>\n<li>They listen to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment.<\/li>\n<li>Then they choose a number of currently active IP addresses to be used for masking a C&amp;C server without the legitimate user\u2019s knowledge.<\/li>\n<li>The machines infected by Turla get the instruction to send all the data to the chosen IPs. The data travels through conventional lines to the satellite and finally down from the satellite to the users with the chosen IPs.<\/li>\n<li>This data is dropped by legitimate users\u2019 PCs as garbage, while threat actors pick it from downstream satellite connection.<\/li>\n<\/ol>\n<p>Since satellite downstream covers a wide area, it\u2019s impossible to track where exactly threat actors\u2019 receivers are physically based. To make this game of cat and mouse even harder, the Turla group tends to exploit satellite Internet providers located in Middle Eastern and African countries such as Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the UAE.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/09\/06024210\/turla_map_of_satellites_.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-9774\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/09\/06024210\/turla_map_of_satellites_.png\" alt=\"Russian-speaking cyber spies from Turla APT group exploit satellites\" width=\"1088\" height=\"894\"><\/a><\/p>\n<p>Satellite beams that are used by operators in these countries usually do not cover European and North American territories, making it very hard for most of security researchers to investigate such attacks.<\/p>\n<p>The attackers behind Turla have infected hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. Organizations of interest for Turla group include government institutions and embassies, as well as military, education, research and pharmaceutical companies.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/09\/06024208\/Turla_Map_of_Targets1.png\"><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/09\/06024208\/Turla_Map_of_Targets1.png\" alt=\"Russian-speaking cyber spies from Turla APT group exploit satellites\" width=\"1468\" height=\"920\" class=\"aligncenter size-full wp-image-9788\"><\/a><\/p>\n<p>This was the bad news. The good news for our users is that <a href=\"https:\/\/www.kaspersky.com\/advert\/multi-device-security?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Lab products<\/a> successfully detect and block the malware used by the Turla threat actor.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Lab&#8217;s researchers have found that Russian-speaking Turla APT group is exploiting satellites to mask its operation ant to hide command-and-control servers.<\/p>\n","protected":false},"author":421,"featured_media":9773,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[499,1238,1240,36,192,732,1239,422,1237],"class_list":{"0":"post-9771","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-apt","10":"tag-cyber-spies","11":"tag-epic","12":"tag-malware-2","13":"tag-protection","14":"tag-research","15":"tag-satellites","16":"tag-threats","17":"tag-turla"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/turla-apt-exploiting-satellites\/9771\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/turla-apt-exploiting-satellites\/5062\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/turla-apt-exploiting-satellites\/3526\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/turla-apt-exploiting-satellites\/5945\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/turla-apt-exploiting-satellites\/6210\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/turla-apt-exploiting-satellites\/6171\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/turla-apt-exploiting-satellites\/6581\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/turla-apt-exploiting-satellites\/8822\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/turla-apt-exploiting-satellites\/5662\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/turla-apt-exploiting-satellites\/6131\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/turla-apt-exploiting-satellites\/8845\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/turla-apt-exploiting-satellites\/8822\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/turla-apt-exploiting-satellites\/9771\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/turla-apt-exploiting-satellites\/9771\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=9771"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9771\/revisions"}],"predecessor-version":[{"id":48559,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9771\/revisions\/48559"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/9773"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=9771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=9771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=9771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}