I read that an APT group, called Turla, is using satellites for command-and-control operations to mask its attacks....
How does this work? What's the best way to stop satellite Internet hijacking?
A key part of launching a persistent attack is keeping it from being detected, and keeping the command-and-control operation functioning even after it has been detected. The Turla advanced persistent threat (APT) group has taken a relatively unique method to operational security for their command-and-control operations by using satellite Internet connections. Satellite Internet connections are low bandwidth and relatively expensive, but provide a certain amount of physical anonymity and can be accessed from a PC with specialized equipment. The satellite Internet hijacking gives the APT group access to the Internet from remote and/or air-gapped locations using a broadcast connection. This connection only provides the ability for one-way communication from the satellite, so the APT group must then use an alternative Internet connection to the other communications. The attack also utilizes watering hole attacks in order for the initial infection vector to install its sophisticated rootkit.
Basic cyberhygiene at all levels has unexpected benefits toward preventing attacks. The best way to stop the satellite Internet hijacking, as used by the Turla APT group, is following Best Current Practice 38 from the Internet Engineering Task Force; this best practice covers network ingress filtering to prevent IP address spoofing. As the attack is reported to use man-in-the-middle attacks, using Border Gateway Protocol security can prevent rerouting the satellite Internet traffic. If the attacker can't use spoofed IP packets as part of the attack, their ability to remain undetected is compromised.
Find out how steganography can help attackers avoid detection
Learn about a new malware obfuscation technique that uses HTML5
Discover how APT groups are using public cloud services for attacks
Dig Deeper on Hacker tools and techniques: Underground hacking sites
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.