One of the world’s most advanced espionage groups has already been caught unleashing an extremely stealthy trojan for Linux systems that for years siphoned sensitive data from governments and pharmaceutical companies around the world. Now researchers have discovered a highly unusual method that members of the so-called Turla group used to cover their tracks. They hijacked satellite-based Internet links to communicate with command and control servers.
Most available satellite-based Internet remains almost as limited now as when it was introduced two decades ago. It’s slow and provides users only with a unidirectional download link. But there’s something about the connections that made them highly attractive to Turla members: most satellite links are unencrypted and can be intercepted by anyone within a radius of more than 600 miles. That means a connection between someone located in, say, a remote location in Africa and a satellite-based ISP can be monitored or even hijacked by an attacker.
According to research published Wednesday by researchers from Moscow-based security firm Kaspersky Lab, that’s precisely what Turla members did. The Russian-speaking hackers reserved the method only for their highest-profile targets, and even then used it only during advanced stages of an espionage campaign. According to Kaspersky Lab Senior Security Researcher Stefan Tanase, here’s how they did it: