lolloj - Fotolia

How can Internet hijacking be prevented or mitigated?

An advanced persistent threat group used satellite Internet connections to mask its attacks. Expert Nick Lewis offers advice for preventing these types of schemes.

I read that an APT group, called Turla, is using satellites for command-and-control operations to mask its attacks. How does this work? What's the best way to stop satellite Internet hijacking?

A key part of launching a persistent attack is keeping it from being detected, and keeping the command-and-control operation functioning even after it has been detected. The Turla advanced persistent threat (APT) group has taken a relatively unique method to operational security for their command-and-control operations by using satellite Internet connections. Satellite Internet connections are low bandwidth and relatively expensive, but provide a certain amount of physical anonymity and can be accessed from a PC with specialized equipment. The satellite Internet hijacking  gives the APT group access to the Internet from remote and/or air-gapped locations using a broadcast connection. This connection only provides the ability for one-way communication from the satellite, so the APT group must then use an alternative Internet connection to the other communications. The attack also utilizes watering hole attacks in order for the initial infection vector to install its sophisticated rootkit.

Basic cyberhygiene at all levels has unexpected benefits toward preventing attacks. The best way to stop the Satellite internet hijacking, as used by the Turla APT group, is following Best Current Practice 38 from the Internet Engineering Task Force; this best practice covers network ingress filtering to prevent IP address spoofing. As the attack is reported to use man-in-the-middle attacks, using Border Gateway Protocol security can prevent rerouting the satellite Internet traffic. If the attacker can't use spoofed IP packets as part of the attack, their ability to remain undetected is compromised.

Next Steps

Find out how steganography can help attackers avoid detection

Learn about a new malware obfuscation technique that uses HTML5

Discover how APT groups are using public cloud services for attacks

This was last published in March 2016

Dig Deeper on Hacker tools and techniques: Underground hacking sites