lolloj - Fotolia
I read that an APT group, called Turla, is using satellites for command-and-control operations to mask its attacks. How does this work? What's the best way to stop satellite Internet hijacking?
A key part of launching a persistent attack is keeping it from being detected, and keeping the command-and-control operation functioning even after it has been detected. The Turla advanced persistent threat (APT) group has taken a relatively unique method to operational security for their command-and-control operations by using satellite Internet connections. Satellite Internet connections are low bandwidth and relatively expensive, but provide a certain amount of physical anonymity and can be accessed from a PC with specialized equipment. The satellite Internet hijacking gives the APT group access to the Internet from remote and/or air-gapped locations using a broadcast connection. This connection only provides the ability for one-way communication from the satellite, so the APT group must then use an alternative Internet connection to the other communications. The attack also utilizes watering hole attacks in order for the initial infection vector to install its sophisticated rootkit.
Basic cyberhygiene at all levels has unexpected benefits toward preventing attacks. The best way to stop the Satellite internet hijacking, as used by the Turla APT group, is following Best Current Practice 38 from the Internet Engineering Task Force; this best practice covers network ingress filtering to prevent IP address spoofing. As the attack is reported to use man-in-the-middle attacks, using Border Gateway Protocol security can prevent rerouting the satellite Internet traffic. If the attacker can't use spoofed IP packets as part of the attack, their ability to remain undetected is compromised.
Find out how steganography can help attackers avoid detection
Learn about a new malware obfuscation technique that uses HTML5
Discover how APT groups are using public cloud services for attacks
Dig Deeper on Hacker tools and techniques: Underground hacking sites
Related Q&A from Nick Lewis
Prevention is the only line of defense against an extortionware attack. Learn how extortionware works and why it can be more damaging than ransomware. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading