Father
Professional
- Messages
- 2,602
- Reaction score
- 866
- Points
- 113
Have you ever watched satellite TV? Wondering at the variety of TV channels and radio stations available? Ever wondered how satellite phones and satellite internet channels work? And what if we tell you that satellite Internet channels are not only entertainment, information about the traffic situation and the weather, but also much, much more?
APT groups have many problems to solve. And perhaps the biggest one is the frequent checkout and shutdown of domains and C&C servers. Every now and then the servers are confiscated by law enforcement agencies, they can also be closed by Internet providers. Sometimes these servers are used to determine the physical location of attackers.
The most advanced criminal gangs and users of commercial hacking tools have solved the problem of server shutdowns by switching to satellite Internet channels. We have already identified three different constellations using satellite access channels to mask their campaigns. The most interesting and unusual of them is Turla.
The Turla group, also called Snake or Uroburos (after its top-notch rootkit), has been cyber espionage for over 8 years. Several articles were devoted to the campaigns of this group, but before the publication of the Epic Turla study by Kaspersky Lab, little was known about the features of these campaigns, for example, about the first stages of infection as a result of a watering-hole attack.
The Turla grouping is distinguished not only by the complexity of the toolkit, which includes the Uroboros rootkit (aka Snake) and mechanisms for bypassing air gaps through multilayer proxy servers in local networks, but also by the ingenious mechanism of satellite command servers used in the last stages of the attack.
In this article, we want to shed some light on the satellite C&C mechanisms that APTs like Turla / Snake use to manage high-value victims. As these mechanisms become more and more popular, system administrators must develop the right strategy to defend against this type of attack. See indicators of infection (IOCs) in the appendix.
Technical features
Since 2007, the most advanced APT groups, including Turla, have maliciously, although relatively rarely, used satellite communications to manage their campaigns - most often C&C infrastructure. This method provides some advantages (for example, it makes it difficult to identify the operators behind the attack), but it also creates certain risks for attackers.
On the one hand, these benefits are important because the actual location and hardware of the C&C can be easily identified and physically confiscated. The satellite receiver can be located anywhere in the satellite coverage area, and it is usually quite large. The method used by the Turla faction to hack downstream channels is anonymous and does not require a satellite internet subscription.
On the other hand, the disadvantage is the low speed and instability of the satellite Internet.
At first, we and other researchers could not figure out whether the attackers were leasing commercial satellite Internet links or hacking into ISPs and conducting MitM (man-in-the-middle attacks) attacks at the router level to intercept traffic. We analyzed these mechanisms and came to a startling conclusion: the method used by the Turla faction is incredibly simple and straightforward. At the same time, it provides anonymity, very cheap implementation and management.
Real channels, MitM attacks or BGP hacking?
One of the ways that APT groups can use to protect the traffic of their C&C servers is to rent satellite Internet channels. However, duplex satellite links are very expensive: a simple duplex satellite link at 1 Mbps in both directions can cost up to $ 7,000 per week. The price can be significantly lower in the case of long-term contracts, but bandwidth will still be expensive.
Another way for the C&C server to fall into the range of satellite Internet IP addresses is to intercept network traffic between the victim and the satellite operator and inject their own packets. This will require exploiting the vulnerabilities of the satellite operator or other Internet provider along the route.
These hacking methods have already been encountered and were described in the blog of Renesys (now part of Dyn) in November 2013.
From the Renesys blog: “BGP routes of various providers were hacked, as a result of which part of their Internet traffic was misdirected through Belarusian and Icelandic Internet providers. We have at our disposal BGP routing data, which shows, by the second, the development of 21 events in Belarus in February and May 2013 and 17 events in Iceland in July-August 2013 "
In a later post on the 2015 Dyn blog, the researchers noted, “For security professionals reviewing alert logs, it is important to understand that IP addresses identified as sources of incidents can be spoofed and are spoofed regularly. For example, an attack allegedly launched from Comcast's New Jersey IP address could in fact be a hacker from Eastern Europe who briefly hijacked Comcast's IP address space. It is interesting to note that in all six cases considered, the attacks were carried out from Europe or Russia. "
Obviously, such blatant large-scale attacks cannot last long, and this is one of the main conditions of APT campaigns. Therefore, a MitM attack by intercepting traffic is unlikely, unless attackers directly control some points of the network with high bandwidth, for example, backbone routers or fiber optics. There are some indications that attacks of this kind are gradually becoming more widespread, but there is a much simpler way to intercept satellite Internet traffic.
Hacking a satellite channel of the DVB-S standard
Hacking of satellite channels of the DVB-S standard has already been written several times, and at the BlackHat 2010 conference the researcher of S21Sec Leonardo Nve Egea made a presentation on the hacking of satellite DVB channels.
Hacking satellite DVD-S channels requires:
- satellite dish, the size of which depends on the geographic location and the specific satellite
- satellite converter (LNB)
- special satellite DVB-S tuner (PCIe card)
- PC, preferably running Linux
Cymbal and LNB are more or less standard equipment, and the most important component is the board. The best DVB-S cards are now produced by TBS Technologies. The TBS-6922SE board may be the best baseboard for this task.
PCIe TBS-6922SE card for receiving channels in the DVB-S standard
The TBS is especially suited for this task as it has dedicated Linux kernel mode drivers and supports brute-force scanning, which allows you to scan wide frequency ranges for signals of interest. You can, of course, use other PCI or PCIe cards, but USB cards should be avoided as in most cases they do not provide the desired quality.
Unlike duplex satellite internet, internet downlinks are used to speed up downloads; they are cheap and easy to install. At the same time, the channels are not initially protected and do not use encryption to obfuscate traffic. This creates opportunities for malicious use.
Internet downlink companies use teleports to send traffic to satellite. The satellite transmits traffic to specific areas on the ground in the Ku-band (12-18 GHz) by routing specific IP classes through teleports.
How to hack satellite internet?
When attacking satellite Internet channels, the dishes of legitimate users and malefactors are directed to a specific satellite transmitting traffic. Attackers take advantage of the fact that the packets are not encrypted. After determining the IP address to which traffic is routed through the downstream satellite channel, attackers begin to listen on the network in anticipation of packets transmitted over the Internet to this IP address. When they find such a packet (for example, TCP / IP SYN), they identify the source and send it a spoofed response packet (for example, SYN ACK) over the regular Internet line.
In this case, the legitimate user of the channel simply ignores this packet, since it arrives on a closed port (for example, 80 or 10080). An important note should be made here: usually, when a packet arrives on a closed port, the source is answered with an RST or FIN, making it clear that the packet is not expected. However, for slow links, it is recommended to use firewalls that simply DROP packets destined for closed ports. This creates an opportunity for malicious use.
Maliciously used IP ranges
In the course of our analysis, we found that the Turla attackers used several DVB-S satellite Internet providers, most of which provided Internet downlinks for the Middle East and Africa. It is interesting to note that Europe and Asia are not covered by these beams. This means that the dish must be installed in the Middle East or Africa. The dish can be installed in other areas, but then it must be much larger, from 3 m in diameter, in order to amplify the signal.
Various tools can be used to calculate the plate size, including online resources such as satbeams.com:
Conclusions:
An interesting feature of the Turla campaigns is the regular use of satellite Internet channels. These channels operate for no more than a few months. It is not yet clear if this is due to restrictions imposed by the group itself for reasons of operational security, or due to the disconnection of the channel by others as a result of malicious behavior.
The technical method used to create these Internet channels is based on hacking the downlink bandwidth of various ISPs and spoofing packets. This method is easy to implement and provides a higher level of anonymity than any conventional methods such as renting a virtual dedicated server (VPS) or hacking a legitimate server.
The initial investment for this attack method is less than $ 1,000, and ongoing maintenance costs are less than $ 1,000 per year. Given the simplicity and low cost of the method, it is only surprising that it is not used by other APT groups. While this method provides an unprecedented level of anonymity, for logistical reasons it is easier to rely on bullet-resistant hosting, multiple layers of proxies, or hacked websites. In fact, the Turla faction uses all of these techniques, which is why its cyber espionage campaigns are so versatile, dynamic and flexible.
In conclusion, it should be noted that Turla is not the only APT constellation using satellite Internet channels. The command servers of the HackingTeam and Xumuxu groups, and more recently also the Rocket Kitten APT group, have been spotted on the IP addresses of the satellite Internet.
If this method becomes widespread among APT groups or, even worse, cybercriminal groups, it will create a serious problem for IT security professionals and counterintelligence agencies.
APT groups have many problems to solve. And perhaps the biggest one is the frequent checkout and shutdown of domains and C&C servers. Every now and then the servers are confiscated by law enforcement agencies, they can also be closed by Internet providers. Sometimes these servers are used to determine the physical location of attackers.
The most advanced criminal gangs and users of commercial hacking tools have solved the problem of server shutdowns by switching to satellite Internet channels. We have already identified three different constellations using satellite access channels to mask their campaigns. The most interesting and unusual of them is Turla.
The Turla group, also called Snake or Uroburos (after its top-notch rootkit), has been cyber espionage for over 8 years. Several articles were devoted to the campaigns of this group, but before the publication of the Epic Turla study by Kaspersky Lab, little was known about the features of these campaigns, for example, about the first stages of infection as a result of a watering-hole attack.
The Turla grouping is distinguished not only by the complexity of the toolkit, which includes the Uroboros rootkit (aka Snake) and mechanisms for bypassing air gaps through multilayer proxy servers in local networks, but also by the ingenious mechanism of satellite command servers used in the last stages of the attack.
In this article, we want to shed some light on the satellite C&C mechanisms that APTs like Turla / Snake use to manage high-value victims. As these mechanisms become more and more popular, system administrators must develop the right strategy to defend against this type of attack. See indicators of infection (IOCs) in the appendix.
Technical features
Since 2007, the most advanced APT groups, including Turla, have maliciously, although relatively rarely, used satellite communications to manage their campaigns - most often C&C infrastructure. This method provides some advantages (for example, it makes it difficult to identify the operators behind the attack), but it also creates certain risks for attackers.
On the one hand, these benefits are important because the actual location and hardware of the C&C can be easily identified and physically confiscated. The satellite receiver can be located anywhere in the satellite coverage area, and it is usually quite large. The method used by the Turla faction to hack downstream channels is anonymous and does not require a satellite internet subscription.
On the other hand, the disadvantage is the low speed and instability of the satellite Internet.
At first, we and other researchers could not figure out whether the attackers were leasing commercial satellite Internet links or hacking into ISPs and conducting MitM (man-in-the-middle attacks) attacks at the router level to intercept traffic. We analyzed these mechanisms and came to a startling conclusion: the method used by the Turla faction is incredibly simple and straightforward. At the same time, it provides anonymity, very cheap implementation and management.
Real channels, MitM attacks or BGP hacking?
One of the ways that APT groups can use to protect the traffic of their C&C servers is to rent satellite Internet channels. However, duplex satellite links are very expensive: a simple duplex satellite link at 1 Mbps in both directions can cost up to $ 7,000 per week. The price can be significantly lower in the case of long-term contracts, but bandwidth will still be expensive.
Another way for the C&C server to fall into the range of satellite Internet IP addresses is to intercept network traffic between the victim and the satellite operator and inject their own packets. This will require exploiting the vulnerabilities of the satellite operator or other Internet provider along the route.
These hacking methods have already been encountered and were described in the blog of Renesys (now part of Dyn) in November 2013.
From the Renesys blog: “BGP routes of various providers were hacked, as a result of which part of their Internet traffic was misdirected through Belarusian and Icelandic Internet providers. We have at our disposal BGP routing data, which shows, by the second, the development of 21 events in Belarus in February and May 2013 and 17 events in Iceland in July-August 2013 "
In a later post on the 2015 Dyn blog, the researchers noted, “For security professionals reviewing alert logs, it is important to understand that IP addresses identified as sources of incidents can be spoofed and are spoofed regularly. For example, an attack allegedly launched from Comcast's New Jersey IP address could in fact be a hacker from Eastern Europe who briefly hijacked Comcast's IP address space. It is interesting to note that in all six cases considered, the attacks were carried out from Europe or Russia. "
Obviously, such blatant large-scale attacks cannot last long, and this is one of the main conditions of APT campaigns. Therefore, a MitM attack by intercepting traffic is unlikely, unless attackers directly control some points of the network with high bandwidth, for example, backbone routers or fiber optics. There are some indications that attacks of this kind are gradually becoming more widespread, but there is a much simpler way to intercept satellite Internet traffic.
Hacking a satellite channel of the DVB-S standard
Hacking of satellite channels of the DVB-S standard has already been written several times, and at the BlackHat 2010 conference the researcher of S21Sec Leonardo Nve Egea made a presentation on the hacking of satellite DVB channels.
Hacking satellite DVD-S channels requires:
- satellite dish, the size of which depends on the geographic location and the specific satellite
- satellite converter (LNB)
- special satellite DVB-S tuner (PCIe card)
- PC, preferably running Linux
Cymbal and LNB are more or less standard equipment, and the most important component is the board. The best DVB-S cards are now produced by TBS Technologies. The TBS-6922SE board may be the best baseboard for this task.
PCIe TBS-6922SE card for receiving channels in the DVB-S standard
The TBS is especially suited for this task as it has dedicated Linux kernel mode drivers and supports brute-force scanning, which allows you to scan wide frequency ranges for signals of interest. You can, of course, use other PCI or PCIe cards, but USB cards should be avoided as in most cases they do not provide the desired quality.
Unlike duplex satellite internet, internet downlinks are used to speed up downloads; they are cheap and easy to install. At the same time, the channels are not initially protected and do not use encryption to obfuscate traffic. This creates opportunities for malicious use.
Internet downlink companies use teleports to send traffic to satellite. The satellite transmits traffic to specific areas on the ground in the Ku-band (12-18 GHz) by routing specific IP classes through teleports.
How to hack satellite internet?
When attacking satellite Internet channels, the dishes of legitimate users and malefactors are directed to a specific satellite transmitting traffic. Attackers take advantage of the fact that the packets are not encrypted. After determining the IP address to which traffic is routed through the downstream satellite channel, attackers begin to listen on the network in anticipation of packets transmitted over the Internet to this IP address. When they find such a packet (for example, TCP / IP SYN), they identify the source and send it a spoofed response packet (for example, SYN ACK) over the regular Internet line.
In this case, the legitimate user of the channel simply ignores this packet, since it arrives on a closed port (for example, 80 or 10080). An important note should be made here: usually, when a packet arrives on a closed port, the source is answered with an RST or FIN, making it clear that the packet is not expected. However, for slow links, it is recommended to use firewalls that simply DROP packets destined for closed ports. This creates an opportunity for malicious use.
Maliciously used IP ranges
In the course of our analysis, we found that the Turla attackers used several DVB-S satellite Internet providers, most of which provided Internet downlinks for the Middle East and Africa. It is interesting to note that Europe and Asia are not covered by these beams. This means that the dish must be installed in the Middle East or Africa. The dish can be installed in other areas, but then it must be much larger, from 3 m in diameter, in order to amplify the signal.
Various tools can be used to calculate the plate size, including online resources such as satbeams.com:
Conclusions:
An interesting feature of the Turla campaigns is the regular use of satellite Internet channels. These channels operate for no more than a few months. It is not yet clear if this is due to restrictions imposed by the group itself for reasons of operational security, or due to the disconnection of the channel by others as a result of malicious behavior.
The technical method used to create these Internet channels is based on hacking the downlink bandwidth of various ISPs and spoofing packets. This method is easy to implement and provides a higher level of anonymity than any conventional methods such as renting a virtual dedicated server (VPS) or hacking a legitimate server.
The initial investment for this attack method is less than $ 1,000, and ongoing maintenance costs are less than $ 1,000 per year. Given the simplicity and low cost of the method, it is only surprising that it is not used by other APT groups. While this method provides an unprecedented level of anonymity, for logistical reasons it is easier to rely on bullet-resistant hosting, multiple layers of proxies, or hacked websites. In fact, the Turla faction uses all of these techniques, which is why its cyber espionage campaigns are so versatile, dynamic and flexible.
In conclusion, it should be noted that Turla is not the only APT constellation using satellite Internet channels. The command servers of the HackingTeam and Xumuxu groups, and more recently also the Rocket Kitten APT group, have been spotted on the IP addresses of the satellite Internet.
If this method becomes widespread among APT groups or, even worse, cybercriminal groups, it will create a serious problem for IT security professionals and counterintelligence agencies.
