Hackers Abuse Satellite Internet Links To Remain Anonymous

← Back to Stories (view on slashdot.org)

Hackers Abuse Satellite Internet Links To Remain Anonymous

Posted by Soulskill on Wednesday September 9, 2015 @03:10AM from the maybe-time-to-decommission-the-goldeneye dept.

msm1267 writes: Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today. Active for close to a decade, Turla's activities were exposed last year; the Russian-speaking gang has carried out espionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as government agencies, diplomatic and military targets, and others. Its use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving malware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those connections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.

26 comments

Min score:

Reason:

Sort:

Simple Summary by TheCarp · 2015-09-09 03:35 · Score: 2

normally, if a packet hits a closed port, a RST or FIN packet will be sent back to the source to indicate that there is nothing expecting the packet. However, for slow links, firewalls are recommended and used to simply DROP packets to closed ports.

Generally speaking, spoofing requires some pretty specific constraints to work at all, and tends to not be a real issue. Well, here is the issue. When a legitimate host fails to respond to its end on an invalid connection.... you have half of the required conditions for spoofing to work well.
Add to that the ability to see incoming traffic to that host....and you have the other half. Make sure they are unencrupted, and there is no way to figure out where the reciever is located....and you have really done it good.
The rest of it pretty logically follows from there. They built exactly what you would expect them to build, either intentionally or due to dumb luck of connections, did it in Africa. Good luck finding them.

--
"I opened my eyes, and everything went dark again"
Also a threat by aliens by dfn5 · 2015-09-09 03:38 · Score: 1

If we don't secure our satellites invading aliens will be able to use them to coordinate their attack on us. Check Mate!

--
-- Thou hast strayed far from the path of the Avatar.
1. Re:Also a threat by aliens by Anonymous Coward · 2015-09-09 03:47 · Score: 0
  
  Thank God that Jeff Golblum and his trusty Mac can hack the alien hackers. And yes...they are making an Independence Day sequel.
2. Re:Also a threat by aliens by Chris+Mattern · 2015-09-09 05:33 · Score: 1
  
  If we don't secure our satellites invading aliens will be able to use them to coordinate their attack on us. Check Mate!
  Yes, hitting that bullseye should make the dominoes fall like a house of cards.
3. Re:Also a threat by aliens by Ungrounded+Lightning · 2015-09-09 07:06 · Score: 0
  
  Thank God that Jeff Golblum and his trusty Mac can hack the alien hackers. And yes...they are making an Independence Day sequel.
  Apparently the administration at the time was appalled when the heard that, when the scene of the saucer giant-laser-blasting the Whitehouse into oblivion screened, theatre audiences cheered. B-)
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Judas Priest "Electric Eye"... apk by Anonymous Coward · 2015-09-09 03:39 · Score: 0

"Up here in space
I'm looking down on you.
My lasers trace
Everything you do.
You think you've private lives
Think nothing of the kind.
There is no true escape
I'm watching all the time.
I'm made of metal
My circuits gleam.
I am perpetual
I keep the country clean.
I'm elected electric spy
I protected electric eye.
Always in focus
You can't feel my stare.
I zoom into you
You don't know I'm there.
I take a pride in probing all your secret moves
My tearless retina takes pictures that can prove.
Electric eye, in the sky
Feel my stare, always there
There 's nothing you can do about it.
Develop and expose
I feed upon your every thought
And so my power grows.
Protected. Detective. Electric eye."
* FROM -> https://www.youtube.com/watch?...
APK
P.S.=> What was once a province of law enforcement agencies to do (what everyone's bitching about for years now ala "The Patriot Act" etc.), the hacker/cracker types have gotten ahold of & are utilizing it - talk about "reverse psychology" + "fighting fire w/ fire" in a "Turn about is 'fair play'" type scenario evidently... apk
1. Re:Judas Priest "Electric Eye"... apk by Anonymous Coward · 2015-09-09 03:48 · Score: 2, Informative
  
  P.P.S=> I am an idiot... apk
  I realize now that I made a big mistake with my HOSTS FILE ENGINE & most of my posts to slashdot - i apologise & promise to try to be a bit nicer to fellow slashdot members + don't annoy them w/ my HOSTS FILE stories.
  APK
  P.S.=> I'm the real APK... apk
LOL: Weak attempt @ "impersonating me" by Anonymous Coward · 2015-09-09 03:55 · Score: 0

See subject: Which little trolling no balls worm are you I've burnt on hosts superiority to other "so-called 'solutions'" that are sold-out &/or crippled by default I wonder?
* :)
LMAO - reducing these "wallies" to ac posts they stalk & harass me by is 1 thing, but when they resort to "the last resort" of attempting to "impersonate me"? It makes me REALLY laugh!
(... as well as utterly letting me KNOW I've done well on hosts files + my excellent program for it - especially when none of my 'courageous' (lol, NOT) 'naysayers/detractors' can prove my points wrong on hosts...))
APK
P.S.=> I love how you give it away by mentioning hosts too - that's the certainty I've SPANKED YOU MASSIVELY before regarding hosts, & so much so, you're reduced to these wimp tactics, ac post stalking/harassing me (when you DO HAVE A REGISTERED 'luser' ACCOUNT HERE), bogus downmods (yet never proving me wrong) & etc.- et al from weasels like that, lol... apk
1. Re: LOL: Weak attempt @ "impersonating me" by Anonymous Coward · 2015-09-09 09:44 · Score: 0
  
  Hey man, windows telemetry bypasses HOSTS now. Plz fix?
It must suck by hodet · 2015-09-09 04:09 · Score: 3, Funny

It must suck trying to cause mayhem with 1000ms ping times.
1. Re:It must suck by Tsolias · 2015-09-09 04:19 · Score: 1
  
  -Has it happened yet?
  -No.
  -Now?
2. Re: It must suck by Anonymous Coward · 2015-09-09 05:34 · Score: 0
  
  That was SO funny, I forgot to laugh.
3. Re:It must suck by Anonymous Coward · 2015-09-09 07:52 · Score: 0
  
  How about now?
But How / Why? by Anonymous Coward · 2015-09-09 04:15 · Score: 0

How/why are they able to send a spoofed source IP?
I can spoof source IPs on my own LAN all day. But once it hits a router it's either dropped or, in very rare cases, the source IP is rewritten to the true source IP.
Though this technique is clever, the real magic of this attack is being able to anonymously send spoofed source IPs. How are they doing that?
1. Re:But How / Why? by Anonymous Coward · 2015-09-09 04:30 · Score: 1
  
  simple, haven't you heard of the spoof command? they use it all the time in the movies. you use it like this:
  
  $ spoof 69.41.160.2
2. Re:But How / Why? by TheCarp · 2015-09-09 04:34 · Score: 1
  
  I thought being able to spoof out was generally fairly common last I checked (admittedly, its been a while since I checked) and its generally the other required additions that are more problematic to set up and use.... you know, when someone doesn't setup a service that is a spoofers wet dream.
  
  --
  "I opened my eyes, and everything went dark again"
3. Re:But How / Why? by jon3k · 2015-09-09 06:07 · Score: 2
  
  It's not terribly difficult to spoof source addresses, it's getting the return traffic back that's tricky. Source address filtering makes it difficult but not impossible. For example most ISPs will discard traffic from their subscribers that don't have a source address in a netblock they own/announce.
  
  But using a combination of spoofed source address on networks where filtering is difficult or not implemented properly, along with service amplification, it's still a problem.
4. Re:But How / Why? by Anonymous Coward · 2015-09-09 06:25 · Score: 0
  
  BCP38 is still a large issue.
  captcha is idiotic, no really.
5. Re:But How / Why? by TheCarp · 2015-09-09 07:09 · Score: 1
  
  Yup, that is why I said spoof out, since the ability to recieve replies and not have the original host muck with your stream since the ability to recieve the return traffic and not have the real host muck with it by sending the appropriate response to close your connection that the satelite companies have so graciously implemented.
  
  --
  "I opened my eyes, and everything went dark again"
Hackers abuse satellite Internet links? by nickweller · 2015-09-09 07:19 · Score: 1

"Hackers Abuse Satellite Internet Links To Remain Anonymous"

How exactly are Turla hacking the Satellite system to gain unauthorized access, without paying for the service?
1. Re:Hackers abuse satellite Internet links? by Anonymous Coward · 2015-09-09 08:00 · Score: 0
  
  If you actually read the links it tells you..
2. Re:Hackers abuse satellite Internet links? by nickweller · 2015-09-10 08:13 · Score: 1
  
  It says they're hacking the ISP (by forging IP addresses) and not the satellite system in itself.
I showed everyone how to fix it by Anonymous Coward · 2015-09-10 00:20 · Score: 0

See subject: In a +5 upmodded post of mine here http://yro.slashdot.org/commen...
* :)
(MS also bypasses hosts for Windows Update too - now that isn't necessarily bad like the telemetry stuff you noted that I show you how to remove in the link above though...)
APK
P.S.=> And, "there ya go": VOILA! apk