lolloj - Fotolia
A key part of launching a persistent attack is keeping it from being detected, and keeping the command-and-control operation functioning even after it has been detected. The Turla advanced persistent threat (APT) group has taken a relatively unique method to operational security for their command-and-control operations by using satellite Internet connections. Satellite Internet connections are low bandwidth and relatively expensive, but provide a certain amount of physical anonymity and can be accessed from a PC with specialized equipment. The satellite Internet hijacking gives the APT group access to the Internet from remote and/or air-gapped locations using a broadcast connection. This connection only provides the ability for one-way communication from the satellite, so the APT group must then use an alternative Internet connection to the other communications. The attack also utilizes watering hole attacks in order for the initial infection vector to install its sophisticated rootkit.
Basic cyberhygiene at all levels has unexpected benefits toward preventing attacks. The best way to stop the satellite Internet hijacking, as used by the Turla APT group, is following Best Current Practice 38 from the Internet Engineering Task Force; this best practice covers network ingress filtering to prevent IP address spoofing. As the attack is reported to use man-in-the-middle attacks, using Border Gateway Protocol security can prevent rerouting the satellite Internet traffic. If the attacker can't use spoofed IP packets as part of the attack, their ability to remain undetected is compromised.
Find out how steganography can help attackers avoid detection
Learn about a new malware obfuscation technique that uses HTML5
Discover how APT groups are using public cloud services for attacks
Dig Deeper on Hacker tools and techniques: Underground hacking sites
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading