The Russian Britney Spears Instagram hackers also used satellites to hide their tracks

Pity poor Turla, the advanced persistent threat hacking group closely associated with the Russian government who were outed yesterday for their extremely clever gimmick of using Britney Spears's Instagram account as a covert channel for controlling compromised computers in the field while protecting their "command and control" servers; today, Turla faces another devastating disclosure, a report that Turla exploited gaps in the security model of satellite TV and internet systems to make it possible for compromised computers to contact the C&C servers without revealing their locations.

Satellite internet services that are delivered over DVB-S satellite TV links use unencrypted links: users send data to the satellites through normal internet links, without encryption, that terminate in satellite ground-stations that uplink to the space-based units. The satellites then beam down their communications (again, without encryption) to a region whose footprint has a radius of 600 miles.

Turla intercepted communications destined for the satellite base stations (called "teleport points") and injected their own data into the streams. The satellites retransmitted this data to a 600 square-mile radius zone. The addressee of the data ignored it, because it had a nonsense port-number associated with it. But Turla was able to receive this data and act on it.

The Turla attackers listen for packets coming from a specific IP address in one of these classes. When certain packets—say, a TCP/IP SYN packet—are identified, the hackers spoof a reply to the source using a conventional Internet line. The legitimate user of the link just ignores the spoofed packet, since it goes to an otherwise unopened port, such as port 80 or 10080. With normal Internet connections, if a packet hits a closed port, the end user will normally send the ISP some indication that something went wrong. But satellite links typically use firewalls that drop packets to closed ports. This allows Turla to stealthily hijack the connections.

The hack allowed computers infected with Turla spyware to communicate with Turla C&C servers without disclosing their location. Because the Turla attackers had their own satellite dish receiving the piggybacked signal, they could be anywhere within a 600-mile radius. As a result, researchers were largely stopped from shutting down the operation or gaining clues about who was carrying it out.

"It's probably one of the most effective methods of ensuring their operational security, or that nobody will ever find out the physical location of their command and control server," Tanase told Ars. "I cannot think of a way of identifying the location of a command server. It can be anywhere in the range of the satellite beam."

How highly advanced hackers (ab)used satellites to stay under the radar [Dan Goodin/Ars Technica]

Satellite Turla: APT Command and Control in the Sky [Stefan Tanase/Securelist]