Russian-Speaking Hackers Tap Satellite Internet Connections

A group of sophisticated Russian-speaking hackers is exploiting commercial satellites to siphon sensitive data from diplomatic and military agencies in the United States and in Europe, as well as to mask their location. The group, which some refer to as Turla, after the name of the malicious software it uses, also has targeted government organisations, embassies and companies in Russia, China and dozens of other countries, as well as research groups and pharmaceutical firms. Security experts have commented as follow;

Ian Pratt, CEO and co-founder, Bromium:

“Whereas ISP’s can trace IP addresses associated with ADSL or cable modem connections to a within a few streets, broadband from geostationary satellites can cover whole continents, with the ISP having limited ability to locate where a particular access modem is — though techniques such as those developed in the search for Malaysia Airlines flight MH370 are potentially able to give rough areas. Hacking groups have frequently used satellite broadband for hosting key components of their infrastructure, but this has typically been done by purchasing a regular subscription under a false identity. Although there was little chance of law enforcement being able to track down the physical location of the satellite modem, once the IP address had been identified as hosting malicious content it would be straightforward for the satellite ISP to block the modem and remove it from the network. An even better covert technique is to effectively clone the access modem of an existing legitimate satellite broadband customer. Due to a lack of cryptographic authentication in most satellite broadband systems this can be done without having physical access to the victim’s modem and can be done just by listening to other traffic and then reprogramming an existing modem. Using a cloned modem makes it harder for the ISP to block the traffic since it would impact a legitimate user, and the miscreants can simply switch to cloning a different legitimate user’s device. Strong authentication of access modems using a key unique to each device is the only way to block this kind of attack, but can only realistically be done for new deployments.”

TK Keanini. chief technology officer (CTO), Lancope:

“If there was any question to the level of game play required in this day and age, here is your wake up call. We in security are always accused of spreading FUD, but this is the reality of the connected world we live in.  Even as an expert, I read news like this and it makes me anxious – and so it should. These are talented well-funded threat actors whose job it is to not make the news; so when one does, consider them the sloppy ones.”