Multiple media outlets have reported that a group of Russian-speaking hackers are “exploiting commercial satellites to siphon sensitive data from diplomatic and military agencies in the United States and in Europe as well as to mask their location.”
In covering the story in the Washington Post, Ellen Nakashima noted that Kaspersky Lab, a Moscow-based Russian cybersecurity firm, uncovered the space-based hack, and notes that the group called “Turla, after the name of the malicious software it uses, also has targeted government organizations, embassies and companies in Russia, China and dozens of other countries, as well as research groups and pharmaceutical firms.”
Turla has used this technique for at least eight years, according to Stefan Tanase, senior security researcher at Kaspersky Lab, who explained that “Turla’s tactic exploits the fact that older satellites do not encrypt data streaming to Earth, and it relies on unsuspecting users of satellite Internet service providers around the world.”
Nakashima quotes Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, an Irvine, Calif.-based cybersecurity technology firm, as saying that the Turla malware originated from a “sophisticated Russian-government-affiliated” hacker group that “we call Venomous Bear.”
The Financial Times explains that the method uses satellites and “hidden receiving stations in Africa and the Middle East” to “obscure the whereabouts of so-called “command and control” services which issue instructions to malware on infected systems.” This method provides what Tanase calls “the ultimate level of anonymity” for the hackers.
Photo Credit: NOAA Image Library