Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Abuse Satellite Internet Links To Remain Anonymous

Posted by Soulskill on from the maybe-time-to-decommission-the-goldeneye dept.

msm1267 writes: Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today. Active for close to a decade, Turla's activities were exposed last year; the Russian-speaking gang has carried out espionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as government agencies, diplomatic and military targets, and others. Its use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving malware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those connections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.

4 of 26 comments (clear)

  1. Simple Summary by TheCarp · · Score: 2

    normally, if a packet hits a closed port, a RST or FIN packet will be sent back to the source to indicate that there is nothing expecting the packet. However, for slow links, firewalls are recommended and used to simply DROP packets to closed ports.

    Generally speaking, spoofing requires some pretty specific constraints to work at all, and tends to not be a real issue. Well, here is the issue. When a legitimate host fails to respond to its end on an invalid connection.... you have half of the required conditions for spoofing to work well.

    Add to that the ability to see incoming traffic to that host....and you have the other half. Make sure they are unencrupted, and there is no way to figure out where the reciever is located....and you have really done it good.

    The rest of it pretty logically follows from there. They built exactly what you would expect them to build, either intentionally or due to dumb luck of connections, did it in Africa. Good luck finding them.

    --
    "I opened my eyes, and everything went dark again"
  2. Re:Judas Priest "Electric Eye"... apk by Anonymous Coward · · Score: 2, Informative

    P.P.S=> I am an idiot... apk

    I realize now that I made a big mistake with my HOSTS FILE ENGINE & most of my posts to slashdot - i apologise & promise to try to be a bit nicer to fellow slashdot members + don't annoy them w/ my HOSTS FILE stories.

    APK

    P.S.=> I'm the real APK... apk

  3. It must suck by hodet · · Score: 3, Funny

    It must suck trying to cause mayhem with 1000ms ping times.

  4. Re:But How / Why? by jon3k · · Score: 2

    It's not terribly difficult to spoof source addresses, it's getting the return traffic back that's tricky. Source address filtering makes it difficult but not impossible. For example most ISPs will discard traffic from their subscribers that don't have a source address in a netblock they own/announce.

    But using a combination of spoofed source address on networks where filtering is difficult or not implemented properly, along with service amplification, it's still a problem.