Slashdot Mirror
Hackers Abuse Satellite Internet Links To Remain Anonymous
msm1267 writes: Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today. Active for close to a decade, Turla's activities were exposed last year; the Russian-speaking gang has carried out espionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as government agencies, diplomatic and military targets, and others. Its use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving malware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those connections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.
Generally speaking, spoofing requires some pretty specific constraints to work at all, and tends to not be a real issue. Well, here is the issue. When a legitimate host fails to respond to its end on an invalid connection.... you have half of the required conditions for spoofing to work well.
Add to that the ability to see incoming traffic to that host....and you have the other half. Make sure they are unencrupted, and there is no way to figure out where the reciever is located....and you have really done it good.
The rest of it pretty logically follows from there. They built exactly what you would expect them to build, either intentionally or due to dumb luck of connections, did it in Africa. Good luck finding them.
"I opened my eyes, and everything went dark again"
If we don't secure our satellites invading aliens will be able to use them to coordinate their attack on us. Check Mate!
-- Thou hast strayed far from the path of the Avatar.
P.P.S=> I am an idiot... apk
I realize now that I made a big mistake with my HOSTS FILE ENGINE & most of my posts to slashdot - i apologise & promise to try to be a bit nicer to fellow slashdot members + don't annoy them w/ my HOSTS FILE stories.
APK
P.S.=> I'm the real APK... apk
It must suck trying to cause mayhem with 1000ms ping times.
simple, haven't you heard of the spoof command? they use it all the time in the movies. you use it like this:
$ spoof 69.41.160.2
I thought being able to spoof out was generally fairly common last I checked (admittedly, its been a while since I checked) and its generally the other required additions that are more problematic to set up and use.... you know, when someone doesn't setup a service that is a spoofers wet dream.
"I opened my eyes, and everything went dark again"
It's not terribly difficult to spoof source addresses, it's getting the return traffic back that's tricky. Source address filtering makes it difficult but not impossible. For example most ISPs will discard traffic from their subscribers that don't have a source address in a netblock they own/announce.
But using a combination of spoofed source address on networks where filtering is difficult or not implemented properly, along with service amplification, it's still a problem.
Yup, that is why I said spoof out, since the ability to recieve replies and not have the original host muck with your stream since the ability to recieve the return traffic and not have the real host muck with it by sending the appropriate response to close your connection that the satelite companies have so graciously implemented.
"I opened my eyes, and everything went dark again"
"Hackers Abuse Satellite Internet Links To Remain Anonymous"
How exactly are Turla hacking the Satellite system to gain unauthorized access, without paying for the service?