What SAT hacks are there

Hackers operate camouflaged via satellite internet

The Turla hacking group hooks into satellite internet connections in order to anonymously manage its botnets. With this they want to avoid the cat-and-mouse game with law enforcement officers and Internet providers who follow their tracks and take command and control servers offline, explains Kaspersky in his blog.

According to the security researchers, there have been hackers who have been using the satellite Internet for their own purposes since 2007. The biggest advantage is that it is difficult for investigators to trace the hackers. Because the areas that a satellite covers are very large and the command and control servers are accordingly difficult to localize.

Hijack connections

In the past, according to Kaspersky, hackers have latched onto connections via man-in-the-middle attacks or have chosen the legal route through a provider. Turla relies on a new method and joins the DVB-S connection directly.

The hackers should rely on a satellite card for computers, an LNB, a satellite dish and a PC with Linux. According to the researchers, the DVB-S card must absolutely support the blind scan function in order to be able to search through entire frequency bands.

Turla is concentrating its search on satellites that only offer a downstream. Because the connections are not encrypted and should be easy to hijack. If the dish points to a corresponding satellite, the hackers intercept data packets from legitimate users, explain the researchers.

Securely withdraw data

If the hackers cut a TCP / IP SYN packet, they respond with a SYN / ACK packet over a conventional Internet connection. If this hits a closed port, normally no connection can be established. In the case of satellite Internet, a firewall should in many cases discard such packets. Kaspersky writes that this opens up the possibility of getting started without going into detail.

Once the hackers have hijacked a connection, they misuse it to send data, such as passwords, from computers infected with their malware to their command and control servers.

[UPDATE, 09/11/2015 2:00 p.m.]

Description of the hacking group adjusted. (of)

Read comments (49) Go to homepage
Ad ad