DecryptedTech

Friday19 August 2022

Hackers using unencrypted satellite communication to hide C&C servers


Reading time is around minutes.

Security and malware research company, Kaspersky has recently released a paper describing what they say is the “ultimate level of anonymity” used by any malicious hacking group. In their report they describe a new attack by the group Ouroboros as “exquisite”. This is the same group that was linked to the Turla malware last year so we are not talking about amateurs or script kiddies. The attack uses commercial satellites’ unencrypted communication channels to send and receive traffic to their C&C servers.

Now to give you a little background, a large amount of commercial communications sent via satellite are still sent in the clear. There are many reasons for this some were valid at the time such as equipment cost and the problems with maintaining or updating encryption keys on all of the links in the hardware. Other, more shadowy reasons have been linked to the NSA in the same way that the lack of encryption on the internet has been. Now the cost to move to fully encrypted channels would be staggering although there is some talk of doing a phased move to encryption for this type of communication.

The way things work is that the data is sent encrypted to the relay station, beamed up to the satellite in the clear and then down to a relay station at the far end. The data can then be encrypted again to protect its travels to its final destination. Newer systems like DirectTV and Satellite radio and many cable TV stations are being sent out with some basic encryption and signal scrambling, but it is really nothing that you cannot easily decode.

Ouroboros is using this system to mask their command and control communication. An infected system can send their command requests via a satellite to a remote location. The relay that the data is being sent to has no connection to the network so it will drop the signal there. However, using a relay located inside the bean radius Ouroboros can also pick this signal up and relay it to the real C&C server. If there are commands waiting the signal can be sent back out to the same satellite. As the broadcast range for commercial signals can be quite wide it makes finding the bad guys dish difficult. It is technically possible to look for the return signal and try to geolocate that, but if the return signal is sent through different dishes or one that is mobile it can be more problematic. According to Kasperky the broadcast areas appear to be in the Middle East and Africa with the group using hijacked DVB-S signals and IP ranges of providers in the regions mentioned. By using DVB-S they can hide a little better as DVB-S is download only. The return signal is sent to a relay to be beamed back up to the satellite. This method is also very cost effective and easy to set up

If Kasperky’s claims are accurate then this would be an extremely sophisticated means of communication, but it not one that is impossible to track down. Inside any command string will be identifying information that can be used to track those calls. Even if these servers only talk via satellite signals there are ways narrow down the field to identify them. Theoretically you can begin tracking the commands returning from the C&C servers. You can do this through the use of honeypot systems (ones infected with the malware). You track the signals to the satellite and watch for the return command by subtly adjusting the antenna angle on the satellite (yes this can be done) you can find where a signal is coming from. These types of adjustments are usually only done when a satellite starts having issues receiving the return signal from a known transmitter, but should be able to work on other transmitters in the target region. Even a mobile station could be tracked in this manner depending on the frequency of the command calls.

Ouroboros’ use of satellites to talk to their network of infected computers is pretty cool and very smart. It also highlights something that should be very clear by now. The idea of sending any signals unencrypted is just plain dumb. We know that the companies running these satellites are not going to rush out and replace them, but knowing that someone is misusing them in this manner should (hopefully) put pressure on them to make the change sooner rather than later. We will be keeping an eye on this one to be sure.

Additional information

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.