A group of cyber spies by several anti-virus companies responsible will be held for attack on the Belgian Ministry of Foreign Affairs and numerous other organizations is already using satellites for years to steal confidential data from infected computers. Reported anti-virus firm Kaspersky Lab today.
The espionage group called "Turla" and is responsible for the Snake rootkit, also known as Uroburos. Through social engineering and zero-day vulnerabilities knows the group of infecting computers for eight years. It involves government agencies and embassies, as well as defense, education, and research organizations and pharmaceutical companies. After valuable targets have been determined using the attackers in the final phase of the attack a wide, satellite-based communication mechanism in order to steal the data and to cover their tracks.
Satellite
Satellite provides mainly people in remote areas access. One of the most widespread and affordable types of satellite-based Internet connections is called a downstream-only connection. In addition, outgoing requests from a user's computer to communicate through conventional lines, such as a dial-up modem or GPRS connection, while all inbound traffic from the satellite. This technology allows the user to achieve a relatively high download speed.
The downstream traffic has the disadvantage that it comes back to the unencrypted computer. A malicious user in the same region as the satellite user can intercept this traffic with the right equipment and software and gain access to the download traffic from users. The Turla group used this weakness to steal confidential data from infected computers without them hereby leave a trail.
The group listens first to the downstream of the satellite to identify active IP addresses of the satellite-based Internet users who are online at that moment. Then they choose an online IP address that they want to use to send the stolen data to, without the legitimate user of this is informed. The infected computer then is instructed to send the data to the IP address of the user satellite.
TCP / IP connection
In order to steal data from the satellite traffic the attacker must have a complete TCP / IP connection between himself and have the infected machine, let Stefan Tanase Kaspersky Lab. When setting up a TCP connection between two machines, the first client sends a SYN packet to the server. Then, the server sends a SYN-ACK packet back.The client replies with an ACK packet, and the connection is established and data can be exchanged.
In the case of the espionage group allows the infected computer to send a SYN packet to the IP address of the user satellite.The satellite provider radiates this SYN packet to earth. The innocent satellite user accepts the package, because he has not asked for here. Therefore there is no TCP / IP connection. The attackers who are in the region and accommodate the satellite traffic received the same package, but accept it. For this, they send back an ACK request, in which they spoof the IP address of the user's satellite. "This way they know parallel a full TCP / IP connection to set up and steal the data," said Tanase.
Hijacking satellite links was discussed at the Black Hat conference in 2009 and 2010 (PDF 1, PDF 2). According Tanase uses Turla group this tactic since at least 2007. Two years before the public was discussed. Other espionage groups would use this tactic. For this own satellite links are used, but in the case of the group-Turla lifts them on the satellite traffic of others.
The use of satellites has the advantage that attackers in this way be able to hide the location of their own server. Also, it is not necessary to have a valid subscription satellite. Hijacking the satellite link can be completely anonymous. As a result, it is also difficult to identify the attackers. This method has some drawbacks, since satellite based Internet can be slow and unstable.
Providers
Another interesting aspect to the tactics of Turla is that satellite Internet service are used in the Middle East and African countries. Thus, the researchers discovered IP addresses of providers in Afghanistan, Congo, Lebanon, Libya, Niger, Nigeria, Somalia and Zambia. Satellites used by operators in these countries usually have no coverage in European and North American regions. This enables most security researchers very difficult to investigate such attacks.
"Turla is able to achieve the ultimate anonymity by using a widely used technology -. One-way Internet via the satellite, the attackers anywhere itself can within the range of the satellite selected by them are, an area that can cover thousands of square kilometers "Tanase know so late. Kaspersky Lab detected worldwide hundreds of infections, although the actual number may be higher is because the virus fighter does not all infections. The attackers are thereby still active and still make use of satellite communications to steal confidential data, according to the Russian anti-virus company.
No comments:
Post a Comment