
How hackers abused satellites to stay under the radar (2015) - nwrk
https://arstechnica.com/security/2015/09/how-highly-advanced-hackers-abused-satellites-to-stay-under-the-radar/
======
zkms
This beautiful exfiltration technique of _actively_ sending packets to an IP
address that will be routed on a link you can _passively_ eavesdrop on -- in
this case, a satellite link -- is one that appears in the leaked Snowden
documents: (warning, classified document)
[https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/...](https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/index/assoc/HASHfae2.dir/doc.pdf)

~~~
eddd
I love the last slide:

\- do "the right thing" (whatever you the analysts think that is)

\- Let me guess - you want everything, don't you?

------
x0ner
I've done a significant amount of research on these threat actors. Despite the
high tech exfiltration method and nation state support, researchers were still
able to easily find their infrastructure. Satellite communications were
encrypted via self-signed ssl certificates. Using internet scanning, we could
track their IP addresses and associated domains using the SHA-1 of their
certificate (map certificate to hosting IP). Happy to answer questions, but
you can also read more here. [https://blog.passivetotal.org/snakes-in-the-
satellites-on-go...](https://blog.passivetotal.org/snakes-in-the-satellites-
on-going-turla-infrastructure/)

------
politician
Are these satellites in geosynchronous orbit? If not, and you've got a copy of
the malware, you ought to be able to narrow the location of the C&C server
using its orbit and a correlation analysis of when the malware receives comms
from the C&C. Depending on the orbit, I'll bet you could bracket it to a few
degrees. Since the attackers can't stop answering C&C calls or their network
collapses, merely publishing that you're doing such a search might be enough
to disrupt their operations.

Then again, maybe this blog post was just such an announcement.

EDIT: I'm willing to bet that satellite downlink performance degrades in bad
weather, so even if the sats are in geo-sync, you can just wait for inclement
weather to mask a region of the cone.

~~~
plq
$DAYJOB is about deploying satellite equipment.

> Are these satellites in geosynchronous orbit?

Yes. Satellites in other orbits require tracking antennas. A typical one has a
four-figure cost at the very least. And if you need uninterrupted connection,
you need to have at least two of them, one for tracking the one that sets, and
another for tracking the one that rises.

> I'm willing to bet that satellite downlink performance degrades in bad
> weather

Ku band, as deployed, is highly resilient to bad weather. The SNR will drop,
sure, but it will be well above the threshold where it will be unintelligible
to the receiver. These things are designed with worst weather conditions in
mind. If ever you lost satellite tv during bad weather, that's due to your
antenna shaking because of the wind, not rainfade.

DVB-S2 in particular supports adaptive coding modulation (ACM). The standard
supports between 4psk and 32psk which can be changed by the ground station
when fade is detected in their reference terminals scattered around the
footprint region.

You can't really do that for TV links where the bandwidth allocation is more-
or-less constant, but you can definitely change modulation for data links
which are actually designed to handle such fluctuations in available
bandwidth.

~~~
schiffern
>If ever you lost satellite tv during bad weather, that's due to your antenna
shaking because of the wind, not rainfade.

Huh, my observations have been different. I lose TV even before the rain and
wind starts (trees make any wind quite visible), just because the dense dark
rain clouds are blocking the signal path. The rain typically starts a couple
minutes later.

For digital TV there's an incentive to maximize bandwidth. So they're going to
trade off signal:noise to get 99.99% (1-10 minutes/mo), but not 99.99999%.
Especially since as you say, the wind will result in some signal interruptions
anyway!

~~~
Moru
You might not have the most optimal angle on your satellite antenna so it's
very sensitive.

~~~
ficklepickle
Yes, very likely. I used to install and service satellite TV systems. You
probably have low signal strength to begin with. If not, perhaps there is a
tree that only blocks the signal when it's windy.

I once had a customer that lost signal in the rain. After much investigation,
I found a splice in the cable...in the gutters, which filled with water when
it rained.

------
ChuckMcM
Ok, that is pretty interesting. I wonder if this will lead to an encrypted
signal or deeper analysis of the uplink firewall logs.

I would guess you would defeat this once you know the C&C is operating by
doing traffic correlation on 'bad' connections (connections which should not
exist given the failed TCP handshake). Presuming you have core router access
at the ISPs then you would tell your sniffer to capture all traffic after a
C&C sequence detect and then work it backward to correlate related traffic. It
would require participation on the part of the ISPs.

~~~
topranks
Proper reverse path filtering would also work. The C&C servers should not be
able to spoof the IP of the legitimate satellite internet user to reply to the
eavsdropped packets. One day.

[https://tools.ietf.org/html/rfc2827](https://tools.ietf.org/html/rfc2827)

------
cm2187
I don't get it. It is impossible to identify who receives the packets but
TCP/IP requires an acknowledgement that the packets have been received before
sending more packets. Surely the C&C could be tracked from this
acknowledgement? Or were they using UDP?

~~~
zkms
UDP for everything would be workable and would remove the need for any sort of
spoofing on the uplink.

~~~
VectorLock
That would work for exfiltration, but not for the whole "command and control"
part of C&C.

------
diegoprzl
The last time I had read about this technique was in 2010. [1] Those slides
are a very good explanation. Back then I thought about it as a way to either
sniff confidential data from the downlink or as a way to have an anonymous
internet connection provided your ISP doesn't filter spoofed ips. Very
interesting to see it used in the wild and for a C&C.

[1] [http://www.blackhat.com/presentations/bh-
dc-10/Nve_Leonardo/...](http://www.blackhat.com/presentations/bh-
dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve-Playing-with-SAT-1.2-slides.pdf)

------
throwanem
Dan Goodin has been writing articles about technology for many years now. How
does he manage to keep doing so in such utterly incomprehensible fashion? I
mean, I get that it's not intended for an audience of seasoned network
engineers, but I don't see how it would leave a layman with a useful
impression, either...

------
gnode
I don't understand how this allowed them to conceal their location. Surely
whatever connection was being used to send commands could be traced back to
the attackers. Could someone explain why this isn't the case?

~~~
forgottenpass
The spoofed traffic theoretically could be traced back, but at the level of
internet routing it would impose a huge cooperation and monitoring
requirements on a number of networks. (As we can presume the origin network
that's letting spoofed traffic onto the internet isn't going to notice, and/or
would be uncooperative to someone investigating the source of the traffic.)

And that monitoring would have to have been active while the traffic spoofing
was ongoing. If an ISP has confidence that incoming traffic is spoofed they'll
just drop the packets instead of routing. So we're now talking about storing
metadata on traffic for after-the-fact analysis, which could be prohibitively
expensive considering the amount of traffic transiting networks, and has
privacy implications.

------
thefreeman
So this has to be some sort of state sponsored hacking right? I can't think of
a non government group who would have the knowledge, money, or motivation to
research this just to mask their origin when there are far simpler ways of
receiving transactions (ie. bitcoin)

~~~
sillysaurus3
Not necessarily.

I briefly pretended to be a criminal, mostly for fun. (Most readers will go
"Uh huh" at this, but it was just a game.)

Say you're developing the next Silk Road. Say you have perfect opsec, and you
never reveal any personal info. What are your risks?

The #1 risk is discovery of your physical location. Before every action, you
must ask yourself: Will the next keystroke get me caught?

It takes immense discipline. I think rtm could probably do it if he put his
mind to it. Maybe tlb. Few others seem to have the personality for this.

Solving the location hiding problem is the first step toward doing anything
untoward. It's not as simple as "just use Tails." Try to build a service and
you'll discover all the reasons.

Money is the other half. I guess I may as well tell the story. You need money
in certain situations, and bitcoin isn't always good enough. You need
untraceable cash that you can spend online. You also need burner phones that
can't be tied to your physical location in order to sign up for all the normal
services. If you use Tor, you'll quickly discover that ~every service prompts
you for a phone number during account creation.

I solved this in a simple way: I waited until the middle of winter, then went
to goodwill and bought a bunch of clothes, old shoes, and a facemask. I
stuffed all of this in a trashbag, then paid a taxi in cash to drop me a
couple miles from a certain store that had both prepaid visa cards and burner
phones.

For the first half of the walk, I looked like a normal person walking along at
night, carrying a trashbag. I ducked into a neighborhood whose streetlights
were out, and went in between two houses. It was nearly pitch black as I put
on the clothes from the trashbag. I left the bag plus my old shoes hidden
there, then continued for the rest of the walk to the store. I bought $400
worth of $50 gift cards and two prepaid phones, then did the whole operation
in reverse.

Why? Because when your opponent is a nation-state, you have a risk of being
found via any other method. You can't drive anywhere because of license plate
trackers. You can't show your face at the store thanks to facial recognition.
You can't wear the same outfit without being picked up on CCTV's near your
home base in the same outfit that you were wearing at the store.

The same care has to be taken when activating and using the burner phones.
Every usage has to be treated as an operation, not an errand, or you're
caught. You have to assume one mistake => caught.

It was very satisfying having $400 in untraceable cash to set up an
untraceable service, complete with an online persona with gmail, twitter,
github, and every other normal service.

The reason for this level of paranoia was that in addition to being a game,
one of my main ambitions has been to fight against drug cartels. I wanted to
use technology to do this.

My hypothesis was that right now, the main reason cartels are so powerful is
that nobody is in a position to talk. Say you're a peon in a cartel: someone
who unloads the drug buses that run from Mexico to Chicago, for example. You
have very valuable knowledge: what times the buses will arrive, where they're
unloading, who's involved. But even if you wanted to snitch, you'd suffer a
fate worse than death if you're caught. What are you going to do? Keep
submitting this info as anonymous tips to the FBI's website? There's no
organized resource for peons to report activities like this. That's why I
wanted to build one. It's like SecureDrop for fighting cartels rather than
governments.

As you can tell from me posting this casually, nothing ever came of the
experiment. But if it had, I would've slept quite soundly knowing my location
was untraceable even with government-level resources aimed at tracking us
down.

All of this is to say that the "location problem" is very relevant to pretty
much any serious activity, government or not.

~~~
jacquesm
\- did you have a cellphone in your pocket?

\- where did you get the cash?

\- by talking about it you negated all the advantages you built up

\- if you walk into a store wearing a facemask you run the risk of being
arrested or even shot because they assume you are robbing the store

\- you may have left fingerprints in the store

\- the cabdriver has seen your face and knows your home address, you should
have walked to the spot where you changed your clothes

\- the clothes bought at the goodwill, did you pay cash for those too?

\- what happened to the clothes afterwards?

\- how did you summon the cab to your change location?

\- you're lucky that neither of the houses you changed next to had a dog

~~~
glenneroo
I'm not even GP but I think I can answer a lot of these. Are you maybe trying
a little too hard to play devil's advocate?

\- did you have a cellphone in your pocket?

After going through all of this, do you honestly think he forgot that detail?

\- where did you get the cash?

That's a good question. Hopefully he withdrew a different amount of cash on a
completely separate date, otherwise bank account and transactions surely could
be linked.

\- by talking about it you negated all the advantages you built up

He said he is only mentioning it now because he didn't actually go through
with his plan i.e. he doesn't care.

\- if you walk into a store wearing a facemask you run the risk of being
arrested or even shot because they assume you are robbing the store

What country do you live in where you're shot for wearing a facemask? Holy
shit.

\- you may have left fingerprints in the store

Let's hope he wore gloves!

\- the cabdriver has seen your face and knows your home address, you should
have walked to the spot where you changed your clothes

Why does he know his home address? Taxis drive around in many cities. In most
cities in Europe (regardless of size) there are taxis everywhere and also taxi
parking spots, where there are usually a few taxis waiting.

\- the clothes bought at the goodwill, did you pay cash for those too?

Is this a serious question? After all that other work and thinking the process
through, why would he all of a sudden use a traceable ATM/credit-card?

\- what happened to the clothes afterwards?

Hopefully burned. Or thrown away in a trash can far, far away. I would assume
GP knows better than to throw them in his own trash.

\- how did you summon the cab to your change location?

As mentioned above, taxis (in Europe at least) are everywhere. No need to
summon. Just walk around for a few minutes.

\- you're lucky that neither of the houses you changed next to had a dog

Why? Because the dog will bark? And? Dogs bark all the time, because there's a
bird, a cat, leaves in the wind, etc.

~~~
jacquesm
> I'm not even GP but I think I can answer a lot of these

If you can, then he's failed even more. So no, I don't think that you can
answer _any_ of them.

The point I'm trying to make is that the best made plans of men and mice fail
due to overlooking some small detail. I could easily make that list 10 times
as long. One or more slip ups could allow someone to tie 1-and-1 together to
make 3 and it is game over. The funniest part of this whole discussion is that
it starts with utterly underestimating the enemy, which is a serious mistake
right from getting out of the gate.

 _If_ you are going to do something as audacious as going up against a drug
cartel you have to keep in mind that these are the kind of groups who would
hesitate at absolutely nothing if they feel that you are their enemy.
Informants and undercover police and other infiltrators (for instance from
rival gangs) are routinely murdered, and their families too if that's how the
wind blows.

Before you start on a job like that you begin with laying the groundwork over
the course of several years, any step along the way that can give away the
game will endanger you and those around you. This is not something you cook up
one find winter evening and put in motion without some extremely careful
planning and creating multiple levels of cut-outs for any kind of activity
that might point at your real identity.

The only thing buying a couple of burner phones with cash is going to do is
raise suspicion, it is not going to do much in terms of protecting you.

If the OP would put his plan to go after some drug related criminal
organization in motion the most likely outcome of the adventure would be 3
lines on page 12 of a newspaper mentioning a disfigured body found floating in
a river or a missing person report.

Life is not a video game, you do not get 3 lives and the same player does not
get to try again in case of failure.

If you didn't come from a life of crime or from a life of being in law
enforcement then your best strategy is to avoid at all costs to get mixed up
in this sort of thing.

Even the Unabomber eventually got caught and he was a lot better at tradecraft
than sillysaurus here.

~~~
whoami_nr
Wait. I thought the Unabomber got caught after he made people publish his
manifesto online/on TV. From what I remember from reading on the internet, his
relatives identified certain key points in the manifesto and immediately
tipped the FBI telling them about him and his similar ideologies.

~~~
jacquesm
Yes, exactly that is my point.

So after all that careful work he still managed to blow it by not thinking of
one obvious thing and he's been rotting in jail, ironically after he swore he
would stop his bombing spree if they published his writing. He could not have
been more right about that, his writings definitely made an end to his life as
a domestic terrorist.

Staying alive and free while you are making powerful enemies is hard. The
Unabomber was one of the smartest terrorists ever (IQ 160+), had a really long
time to prepare what he did, was a lone wolf (which is a huge advantage
compared to a larger number of people) and in the end blew it completely.

------
ryanmarsh
So then how was this discovered?

~~~
cowholio4
I assume by looking at the command and control ips and looking for what is
common. (IE that they were from satellite ISPs)

You can read the original post here: [https://securelist.com/72081/satellite-
turla-apt-command-and...](https://securelist.com/72081/satellite-turla-apt-
command-and-control-in-the-sky/)

------
libeclipse
I don't understand how this works. The article doesn't go into much depth.

They listen on data coming from a satellite for certain IPs, then connect to
those IPs directly? How does that allow two-way communication?

~~~
fireflash38
If I understand this correctly:

1\. Infected system sends packets to a decoy

2\. The decoy ignores the fake packets (dropped by firewall)

3\. The real command center which is located in the same region as the decoy
accepts the packets [1]

4\. Real command center can still send commands to infected system via
landline, but receive data by satellite.

[1] Satellite downlink data is sent to a relatively large area.

~~~
libeclipse
Infected system sends packets to a decoy what? Satellite? And then the
satellite forwards it.

~~~
rblatz
Lets say John lives near (200 miles away) the C&C server and that John's IP is
192.168.7.2. John is the decoy, so the malware sends requests to John's IP.
John doesn't get the requests, due to his firewall blocking them, leaving
these lingering open tcp connections. So the C&C server is free to finish the
TCP handshake spoofing their IP to be 192.168.7.2

As far as anyone can tell they are John, but when you go to John's house to
shut down the C&C server you end up at a dead end.

~~~
libeclipse
1) How does the satellite come into this.

2) How does the C&C server complete the request. Are the hanging ports on the
victim's side?

3) If the C&C server completes the connection, how do they carry on talking?
Just like spoofing IPs, you can't ever get a reply. Or do they do the John
decoy thing for every packet?

~~~
XaspR8d
1) The satellite system system broadcasts to everyone (apparently poorly/not
encrypted) in the area, so it isn't necessary to take over any upstream
routing in order to get a hold of the incoming packets. They just arrive at
your doorstep, and since you configured them to be rejected by normal clients
you know you won't have to compete for the response.

2) The C&C just responds over regular land-line. (Since the satellite service
is download-only, this isn't any different from the service's normal clients.)

3) The reply keeps coming back over satellite and they keep grabbing it?

~~~
theEXTORTCIST
I believe you are correct in your understanding. Mine was a little different.
I thought this was a classic asymmetrical routing scenario on the Internet
with a cool eavesdropper twist.

I'm assuming that because the sat system broadcasts unencrypted, you can sniff
all the packets for all hosts on that network just like you can on a wifi
network with the proper promiscuous mode receiver. An unencrypted shared
broadcast medium.

So packet flow is routed inbound from victim as such

(victim SYN to decoy IP) to (internet) to (sat broadcast to geographic area
decoy and attacker C&C)

But packet flow outbound from C&C to victim is handled differently via
landline

(spoofed decoy IP) to (landline/internet) to (victim)

So packets come in via sat link but go out via spoofed source on a landline.

------
VectorLock
What satellite internet provider isn't doing egress filtering on their
customers land-line connections?

Asking for a friend...

------
Eun
tldr:
[https://youtube.com/watch?v=Du3rBVZqKkk](https://youtube.com/watch?v=Du3rBVZqKkk)

------
kusmi
why pharmacutical companies I wonder?

------
Pigo
Is this how /pol/ found Shia's flag?

