Russia based cyber-espionage group Turla is the center of attention for security experts at Kaspersky Lab, after evidence of their activity multiplied.
The modus operandi of the hacking group is relatively unchanged since 2007 and is quite simple, efficient and almost undetectable. In short, they hijack IPs satellite addresses of non-threatening users and use them for stealing data from other infected devices in a manner that masks their own command and control servers (C&C).
"The C&C servers are the central point of failure when it comes to cybercrime or espionage operations, so it's very important for them to hide the physical location of the servers," Stefan Tanase, senior security researcher with Kaspersky, says.
Common methods for concealing the position of the command server are leasing or infiltrating a server and using it as a C&C, or routing the activity through multiple proxy-machines.
Why is the method used by Turla dubbed "exquisite" by Kaspersky security specialists? Mainly because the geographical area covered by a satellite Internet provider is much larger than those of cable or dial-up providers - it can go as far as 1,000 miles and stretch over multiple continents. This makes attempts to track the physical address of the computer using a satellite IP severely difficult.
"It's probably one of the most effective methods of ensuring their operational security, or that nobody will ever find out the physical location of their command and control server," Tanase points out.
Hijacking hardware is rather cheap, too. The basic kit is made of a satellite dish, some cable and a satellite modem, summing up to around $1,000.
Tanase affirms that innocent satellite users need to check their log files, otherwise they won't notice anything suspicious. Even so, for the inexperienced eye, the dropped packets in the connection might look like just Internet noise rather than malicious action.
The upside is that the filtering of data on the long run is not sustainable, due to the instability of the one-way connections in satellites. Once the hijacked computer goes offline, the hacker loses the connection.
"This is why we believe they only use it on the most high-profile targets," Tanase says. "When anonymity is essential. We don't see them using it all the time."
Turla, also known as Uroboros, Carbon or Snake is believed to be under Russian government authority and sponsorship. In the last ten years, it has pointed its antennas towards officials in 40 countries, including China, Vietnam, and the U.S., but it focused its covert activity especially on states from the former Soviet Union, especially targeting embassies and government members.