How Turla hackers (ab)used satellites to stay under the radar | Ars Technica
A very nifty hack. DVB-S broadcasts a subset of unencrypted IP traffic across a 600-mile radius:
The Turla attackers listen for packets coming from a specific IP address in one of these classes. When certain packets—say, a TCP/IP SYN packet—are identified, the hackers spoof a reply to the source using a conventional Internet line. The legitimate user of the link just ignores the spoofed packet, since it goes to an otherwise unopened port, such as port 80 or 10080. With normal Internet connections, if a packet hits a closed port, the end user will normally send the ISP some indication that something went wrong. But satellite links typically use firewalls that drop packets to closed ports. This allows Turla to stealthily hijack the connections. The hack allowed computers infected with Turla spyware to communicate with Turla C&C servers without disclosing their location. Because the Turla attackers had their own satellite dish receiving the piggybacked signal, they could be anywhere within a 600-mile radius. As a result, researchers were largely stopped from shutting down the operation or gaining clues about who was carrying it out. “It’s probably one of the most effective methods of ensuring their operational security, or that nobody will ever find out the physical location of their command and control server,” Tanase told Ars. “I cannot think of a way of identifying the location of a command server. It can be anywhere in the range of the satellite beam.”
(tags: turla hacks satellite security dvb dvb-s tcpip command-and-control syn)