satellite turla: apt command and control in the sky - paper · pdf file2015/10/28 satellite...
TRANSCRIPT
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 1/17
APT CYBER ESPIONAGE TURLA
Stefan Tanase@stefant
Have you ever watched satellite television? Were youamazed by the diversity of TV channels and radio stationsavailable? Have you ever looked in wonder at satellitephones or satellitebased Internet connections wonderingwhat makes them tick? What if we told you that there’smore to satellitebased Internet connections thanentertainment, traffic and weather? Much, much more.
Satellite Turla: APTCommand and Controlin the SkyHow the Turla operators hijacksatellite Internet links
By Stefan Tanase on September 9, 2015. 9:58 am
RESEARCH
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 2/17
Turla: Hiding Traces High in t...
When you are an APT group, you need to deal with manydifferent problems. One of them, and perhaps the biggest,is the constant seizure and takedown of domains andservers used for commandandcontrol (C&C). Theseservers are constantly appropriated by law enforcement orshut down by ISPs. Sometimes they can be used to tracethe attackers back to their physical locations.
Some of the most advanced threat actors or users ofcommercial hacking tools have found a solution to thetakedown problem — the use of satellitebased Internetlinks. In the past, we’ve seen three different actors usingsuch links to mask their operations. The most interestingand unusual of them is the Turla group.
Also known as Snake or Uroburos, names which comefrom its top class rootkit, the Turla cyberespionage grouphas been active for more than 8 years. Several papershave been published about the group’s operations, butuntil the Epic Turla research was published by KasperskyLab, little information was available about the moreunusual aspects of their operations, such as the firststages of infection through wateringhole attacks.
What makes the Turla group special is not just thecomplexity of its tools, which include the Uroboros rootkit,aka “Snake”, as well as mechanisms designed to bypassair gaps through multistage proxy networks inside LANs,but the exquisite satellitebased C&C mechanism used in
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 3/17
the latter stages of the attack.
In this blog, we hope to shed more light on the satellitebased C&C mechanisms that APT groups, including theTurla/Snake group, use to control their most importantvictims. As the use of these mechanisms becomes morepopular, it’s important for system administrators to deploythe correct defense strategies to mitigate such attacks.For IOCs, see the appendix.
Technical detailsAlthough relatively rare, since 2007 several elite APTgroups have been using — and abusing — satellite linksto manage their operations — most often, their C&Cinfrastructure. Turla is one of them. Using this approachoffers some advantages, such as making it hard to identifythe operators behind the attack, but it also poses somerisks to the attackers.
On the one hand, it’s valuable because the true locationand hardware of the C&C server cannot be easilydetermined or physically seized. Satellitebased Internetreceivers can be located anywhere within the areacovered by a satellite, and this is generally quite large.The method used by the Turla group to hijack thedownstream links is highly anonymous and does notrequire a valid satellite Internet subscription.
On the other hand, the disadvantage comes from the factthat satellitebased Internet is slow and can be unstable.
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 4/17
In the beginning, it was unclear to us and otherresearchers whether some of the links observed werecommercial Internet connections via satellite, purchasedby the attackers, or if the attackers had breached the ISPsand performed ManintheMiddle (MitM) attacks at therouter level to hijack the stream. We have analyzed thesemechanisms and come to the astonishing conclusion thatthe method used by the Turla group is incredibly simpleand straightforward, as well as highly anonymous andvery cheap to operate and manage.
Real satellite links, MitMattacks or BGP hijacking?Purchasing satellitebased Internet links is one of theoptions APT groups can choose to secure their C&Ctraffic. However, full duplex satellite links can be veryexpensive: a simple duplex 1Mbit up/down satellite linkmay cost up to $7000 per week. For longer term contractsthis cost may decrease considerably, but the bandwidthstill remains very expensive.
Another way of getting a C&C server into a satellite’s IPrange is to hijack the network traffic between the victimand the satellite operator and to inject packets along theway. This requires either exploitation of the satelliteprovider itself, or of another ISP on the way.
These kinds of hijacking attacks have been observed inthe past and were documented by Renesys (now part ofDyn) in a blogpost dated November 2013.
According to Renesys: “Various providers’ BGP routeswere hijacked, and as a result a portion of their Internettraffic was misdirected to flow through Belarusian andIcelandic ISPs. We have BGP routing data that show thesecondbysecond evolution of 21 Belarusian events inFebruary and May 2013, and 17 Icelandic events in JulyAugust 2013.”
In a more recent blogpost from 2015, Dyn researchers
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 5/17
point out that: “For security analysts reviewing alert logs, itis important to appreciate that the IP addresses identifiedas the source of incidents can and are regularly spoofed.For example, an attack that appeared to come from aComcast IP located in New Jersey may really have beenfrom a hijacker located in Eastern Europe, brieflycommandeering Comcast IP space. It is interesting to notethat all six cases discussed above were conducted fromeither Europe or Russia.”
Obviously, such incredibly apparent and largescaleattacks have little chance of surviving for long periods oftime, which is one of the key requirements for running anAPT operation. It is therefore not very feasible to performthe attack through MitM traffic hijacking, unless theattackers have direct control over some hightrafficnetwork points, such as backbone routers or fiber optics.There are signs that such attacks are becoming morecommon, but there is a much simpler way to hijacksatellitebased Internet traffic.
Satellite link (DVB-S)hijackingThe hijacking of satellite DVBS links has been describeda few times in the past and a presentation on hijackingsatellite DVB links was delivered at BlackHat 2010 by the
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 6/17
S21Sec researcher Leonardo Nve Egea.
To hijack satellite DVBS links, one needs the following:
A satellite dish – the size depends on geographicalposition and satelliteA lownoise block downconverter (LNB)A dedicated DVBS tuner (PCIe card)A PC, preferably running Linux
While the dish and the LNB are moreorless standard, thecard is perhaps the most important component. Currently,the best DVBS cards are made by a company called TBSTechnologies. The TBS6922SE is perhaps the best entrylevel card for the task.
TBS6922SE PCIe card for receiving DVBS channels
The TBS card is particularly wellsuited to this taskbecause it has dedicated Linux kernel drivers andsupports a function known as a bruteforce scan whichallows widefrequency ranges to be tested for interestingsignals. Of course, other PCI or PCIe cards might work aswell, while, in general the USBbased cards are relativelypoor and should be avoided.
Unlike full duplex satellitebased Internet, thedownstreamonly Internet links are used to accelerateInternet downloads and are very cheap and easy todeploy. They are also inherently insecure and use noencryption to obfuscate the traffic. This creates the
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 7/17
possibility for abuse.
Companies that provide downstreamonly Internet accessuse teleport points to beam the traffic up to the satellite.The satellite broadcasts the traffic to larger areas on theground, in the Ku band (1218Ghz) by routing certain IPclasses through the teleport points.
How does satellite internethijacking work?
To attack satellitebased Internet connections, both thelegitimate users of these links as well as the attackers’own satellite dishes point to the specific satellite that isbroadcasting the traffic. The attackers abuse the fact thatthe packets are unencrypted. Once an IP address that isrouted through the satellite’s downstream link is identified,the attackers start listening for packets coming from theInternet to this specific IP. When such a packet isidentified, for instance a TCP/IP SYN packet, they identifythe source and spoof a reply packet (e.g. SYN ACK) backto the source using a conventional Internet line.
At the same time, the legitimate user of the link justignores the packet as it goes to an otherwise unopenedport, for instance, port 80 or 10080. There is an importantobservation to make here: normally, if a packet hits aclosed port, a RST or FIN packet will be sent back to thesource to indicate that there is nothing expecting thepacket. However, for slow links, firewalls arerecommended and used to simply DROP packets to
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 8/17
closed ports. This creates an opportunity for abuse.
Abused Internet rangesDuring the analysis, we observed the Turla attackersabusing several satellite DVBS Internet providers, most ofthem offering downstreamonly connections in the MiddleEast and Africa. Interestingly, the coverage of thesebeams does not include Europe or Asia, meaning that adish is required in either the Middle East or Africa.Alternatively, a much larger dish (3m+) can be used inother areas to boost the signal.
To calculate the dish size, one can use various tools,including online resources such as satbeams.com:
Sample dish calculation – (c) www.satbeams.com
The table below shows some of the commandandcontrolservers related to the Turla actor with domains resolvingto an IP belonging to satellitebased Internet providers:
IP First seen Hosts
84.11.79.6 Nov, 2007 n/a, see note below
92.62.218.99Feb 25th,2014
pressforum.serveblog.netmusicworld.servemp3.com
209.239.79.47Feb 27th,2014
pressforum.serveblog.netmusicworld.servemp3.com
209.239.79.52March18th, 2014
hockeynews.servehttp.com
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 9/17
209.239.79.152 March18th, 2014
hockeynews.servehttp.com
209.239.79.33January25th, 2014
eusociety.com
92.62.220.170March19th, 2014
carsonline.zapto.orgfifarules.25u.comforum.sytes.nethealtheveryday.faqserv.commusicworld.servemp3.comnhlblog.servegame.comolympikblog.4dq.comsupernews.sytes.nettiger.gotgame.orgtopfacts.sytes.netxfiles.zapto.org
92.62.219.172April 26th,2013
eusociety.com
82.146.174.58May 28th,2014
forum.sytes.nethockeynews.servehttp.comleagueoflegends.servequake.commusicworld.servemp3.com
82.146.166.56March11th, 2014
easportnews.publicvm.com
82.146.166.62June 24th,2014
hockeynews.servehttp.com
62.243.189.231April 4th,2014
africankingdom.deaftone.comaromatravel.orgmarketplace.servehttp.comnewutils.3utilities.compeoplehealth.netpressforum.serveblog.netweatheronline.hopto.org
77.246.76.19March17th, 2015
onlineshop.sellclassics.com
62.243.189.187May 2nd,2012
eusociety.com
62.243.189.215January3rd, 2013
peoplehealth.net
217.20.243.37July 3,2014
forum.sytes.netmusicworld.servemp3.com
217.20.242.22September
mediahistory.linkpc.net
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 10/17
1st, 2014
83.229.75.141August 05,2015
accessdest.strangled.netchinafood.chickenkiller.comcoldriver.strangled.netdeveloparea.mooo.comdowntown.crabdance.comgreateplan.ocry.comindustrywork.mooo.comradiobutton.mooo.comsecuresource.strangled.netsportnewspaper.strangled.netsupercar.ignorelist.comsupernews.instanthq.com
Note: 84.11.79.6 is hardcoded in the configuration block ofthe malicious sample.
The observed satellite IPs have the following ‘WHOIS’information:
IP Country ISP
92.62.220.17092.62.219.17292.62.218.99
Nigeria
SkylinksSatelliteCommunicationsLimited
209.239.79.47209.239.79.52209.239.79.152209.239.79.33
UAETeleskies,Telesat NetworkServices Inc
82.146.174.5882.146.166.5682.146.166.62
Lebanon Lunasat Isp
62.243.189.23162.243.189.18762.243.189.215
Denmark Emperion
77.246.71.1077.246.76.19
LebanonIntraskyOffshore S.a.l.
84.11.79.6 Germany IABG mbH
217.20.243.37 SomaliaSky PowerInternational Ltd
Sky Power
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 11/17
217.20.242.22 Nigeria International Ltd
83.229.75.141UnitedKingdom
SkyVisionGlobal NetworksLtd
217.194.150.31 NigerSkyVisionGlobal NetworksLtd
41.190.233.29 Congo Orioncom
One interesting case is probably 84.11.79.6, which fallsinto the satellite IP range of IABG mbH.
This IP is encrypted in the C&C of the following backdoorused by Turla group, known as “Agent.DNE“:
md5 0328dedfce54e185ad395ac44aa4223c
size 91136 bytes
type Windows PE
Agent.DNE C&C configuration
This Agent.DNE sample has a compilation timestamp ofThu Nov 22 14:34:15 2007, meaning that the Turla grouphas been using satellitebased Internet links for almosteight years.
ConclusionsThe regular usage of satellitebased Internet links by theTurla group represents an interesting aspect of theiroperation. The links are generally up for several months,
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 12/17
but never for too long. It is unknown if this is due tooperational security limitations selfimposed by the groupor because of shutdown by other parties due to maliciousbehavior.
The technical method used to implement these Internetcircuits relies on hijacking downstream bandwidth fromvarious ISPs and packetspoofing. This is a method that istechnically easy to implement, and provides a muchhigher degree of anonymity than possibly any otherconventional method such as renting a VPS or hacking alegitimate server.
To implement this attack methodology, the initialinvestment is less than $1000. Regular maintenanceshould be less than $1000 per year. Considering howeasy and cheap this method is, it is surprising that wehave not seen more APT groups using it. Even though thismethod provides an unmatched level of anonymforlogistical reasons it is more straightforward to rely onbulletproof hosting, multiple proxy levels or hackedwebsites. In truth, the Turla group has been known to useall of these techniques, making it a very versatile, dynamicand flexible cyberespionage operation.
Lastly, it should be noted that Turla is not the only APTgroup that has used satellitebased Internet links.HackingTeam C&Cs were seen on satellite IPs before, aswell as C&Cs from the Xumuxu group and, more recentlythe Rocket Kitten APT group.
If this method becomes widespread between APT groupsor worse, cybercriminal groups, this will pose a seriousproblem for the IT security and counterintelligencecommunities.
* A full paper on the Turla group’s use of satellitebased Internetlinks is available to the customers of Kaspersky IntelligenceServices.
Indicators of compromise:
IPs:
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 13/17
IPs:
84.11.79.641.190.233.2962.243.189.18762.243.189.21562.243.189.23177.246.71.1077.246.76.1977.73.187.22382.146.166.5682.146.166.6282.146.174.5883.229.75.14192.62.218.9992.62.219.17292.62.220.17092.62.221.3092.62.221.38209.239.79.121209.239.79.125209.239.79.15209.239.79.152209.239.79.33209.239.79.35209.239.79.47209.239.79.52209.239.79.55209.239.79.69209.239.82.7209.239.85.240209.239.89.100217.194.150.31217.20.242.22217.20.243.37
Hostnames:
accessdest.strangled[.]netbookstore.strangled[.]netbug.ignorelist[.]comcarsonline.zapto[.]orgchinafood.chickenkiller[.]com
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 14/17
coldriver.strangled[.]netdeveloparea.mooo[.]comdowntown.crabdance[.]comeasportnews.publicvm[.]comeurovision.chickenkiller[.]comfifarules.25u[.]comforum.sytes[.]netgoldenroade.strangled[.]netgreateplan.ocry[.]comhealtheveryday.faqserv[.]comhighhills.ignorelist[.]comhockeynews.servehttp[.]comindustrywork.mooo[.]comleagueoflegends.servequake[.]commarketplace.servehttp[.]commediahistory.linkpc[.]netmusicworld.servemp3[.]comnewbook.linkpc[.]netnewgame.2waky[.]comnewutils.3utilities[.]comnhlblog.servegame[.]comnightstreet.toh[.]infoolympikblog.4dq[.]comonlineshop.sellclassics[.]compressforum.serveblog[.]netradiobutton.mooo[.]comsealand.publicvm[.]comsecuresource.strangled[.]netsoftstream.strangled[.]netsportacademy.my03[.]comsportnewspaper.strangled[.]netsupercar.ignorelist[.]comsupernews.instanthq[.]comsupernews.sytes[.]nettelesport.mooo[.]comtiger.gotgame[.]orgtopfacts.sytes[.]nettrack.strangled[.]netwargame.ignorelist[.]comweatheronline.hopto[.]orgwintersport.mrbasic[.]comxfiles.zapto[.]org
MD5s:
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 15/17
MD5s:
0328dedfce54e185ad395ac44aa4223c18da7eea4e8a862a19c8c4f10d7341c02a7670aa9d1cc64e61fd50f9f64296f949d6cf436aa7bc5314aa4e78608872d8a44ee30f9f14e156ac0c2137af595cf7b0a1301bc25cfbe66afe596272f56475bcfee2fb5dbc111bfa892ff9e19e45c1d6211fec96c60114d41ec83874a1b31de29a3cc864d943f0e3ede404a32f4189f5916f8f004ffb85e93b4d205576a247594cb9523e32a5bbf4eb1c491f06d4f9d5bd7211332d31dcead4bfb07b288473
Kaspersky Lab products detect theabove Turla samples with thefollowing verdicts:
Backdoor.Win32.Turla.cdBackdoor.Win32.Turla.ceBackdoor.Win32.Turla.clBackdoor.Win32.Turla.chBackdoor.Win32.Turla.cjBackdoor.Win32.Turla.ckTrojan.Win32.Agent.dne
References:1. Agent.btz: a Source of Inspiration?2. The Epic Turla operation3. The ‘Penquin’ Turla
Related Posts
I AM HDROOT!
PART 2
THE RISE OF
.NET ANDPOWERSHELLMALWARE
APT
RESEARCHDISCOURSEAT VIRUSBULLETIN
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 16/17
THERE ARE 3 COMMENTS
If you would like to comment on this article you must first login
garahm steelePosted on September 9, 2015. 6:40 pm
would like more info regarding MITM etc
edPosted on September 10, 2015. 6:06 pm
Have you actually observed outbound c2 like you illustrate in thediagram? Or only downlink data being sent?
Jens LechtenbörgerPosted on September 14, 2015. 1:58 pm
Many thanks for sharing these observations!I believe that part of your analysis is mixed up.
> Once an IP address that is routed through the satellite’sdownstream link is identified, the attackers start listening for packetscoming from the Internet to this specific IP. When such a packet isidentified, for instance a TCP/IP SYN packet, they identify thesource and spoof a reply packet (e.g. SYN ACK) back to the sourceusing a conventional Internet line.
Say, Alice is the ordinary/legitimate subscriber, Bob sends this SYNpacket to her, which is also received by Mallory, and Mallory sendsthe SYN/ACK. If Bob sends this SYN packet, he probably expectsAlice to send the SYN/ACK, which she does. So, both Alice andMallory send a SYN/ACK. What is Mallory supposed to gain fromthis?
> At the same time, the legitimate user of the link just ignores thepacket as it goes to an otherwise unopened port, for instance, port
Reply
Reply
2015/10/28 Satellite Turla: APT Command and Control in the Sky - Securelist
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ 17/17
80 or 10080.
Huh? Bob opened that connection, so he certainly does not ignorepackets. Alice responds to a SYN packet, so she does not ignoreeither. The port observed by Mallory quite likely is *not* unopened.
Instead, if I were Mallory, I would do the following: I see that Alice isa satellite subscriber and learn her IP address. Thus, I can sendTCP SYN to Port 80 on her IP address. If she does not run a webserver and is behind a firewall, I won’t receive a reply. Thus, I canuse her IP address and port 80 for my own server. (In fact, I canport scan on her; if she drops any SYN packet I can use that portinstead of 80.) Packets will be delivered to her and me, she (or herfirewall) throws away the packets, so my own connection will bestable.
I’d like to point out the lesson to be learned here: If you are on abroadcast network, send your RST packets. Otherwise, everyone isfree to hide under your IP address.
(Besides, if there are unassigned IP addresses, Mallory might justuse one of those—if they are routed by the satellite network’soperator, although they are unassigned.)
Reply