Satellite Turla: Hiding in the Sky


Turla is one of the most advanced threat actors
– and it’s still out there. One of the reasons for that is their ability to hide their Command
and Control servers, which are so often detected and decommissioned by authorities and security
providers. Research by Kaspersky Lab’s experts has proved that Turla a Russian-speaking threat
actor – is using satellite connections to do this.
The attackers first find a number of decoys: regular users of asynchronous satellite internet
connections. Masquerading as these ordinary users, Turla servers receive calls from infected
machines via satlink and answer using a regular, fast landline with a spoofed acknowledgement,
which appears to be coming from the unsuspecting decoys addresses.
This trick is mainly used to hide from authorities; it’s the other mechanisms Turla uses that
potential targets should worry about. Turla is actively using exploits, delivered via
watering holes and spearphishing emails. Hence the acute need for advanced endpoint protection,
mail security and automated vulnerability management such as those offered by Kaspersky
Lab. Also, our Intelligence Services may be worth particular attention: the Data Feeds
service would provide knowledge about waterholing hosts and IPs the attackers are using to hide
their servers. And because the human factor is the most exploited vulnerability ever,
Cybersecurity Training is well worth [1][2]considering. Make no mistake: though Turla’s targets are
mostly government, military, research and pharmaceutical organizations , your enterprise
could still be attacked. Your business contacts with any of these could, in Turla’s eyes,
make your IT network a stepping stone for attacking the juicier target. You therefore
need a comprehensive strategy and if you are keen on implementing one, the Kaspersky Enterprise
Portfolio of products and services could be the answer.

2 Comments

Add a Comment

Your email address will not be published. Required fields are marked *