One of the world’s most sophisticated hacking groups, linked to the Russian government, has been accused of hijacking vulnerable commercial satellite communications, using hidden receiving stations in Africa and the Middle East to mask attacks on Western military and governmental networks.
The group, which operates Ouroboros — the virulent malware also known as “Snake” or “Turla” — was outed last year as having mounted aggressive cyber espionage operations against Ukraine and a host of other European and American government organisations over nearly a decade.
In a report released on Wednesday, digital security and intelligence firm Kaspersky Lab, which was among the first to analyse the Ouroboros hackers’ activities in 2014, said it had identified a new “exquisite” attack channel being used by the group that was virtually untraceable.
The method, using space communications, is designed to obscure the whereabouts of so-called “command and control” servers which issue instructions to malware on infected systems.
The need for hackers to communicate regularly with machines they have compromised in order to extract information can allow networks’ defenders to identify ongoing attacks and work out their origins.
“This method makes it almost impossible to discover the physical location of these servers,” said Stefan Tanase, senior security researcher at Kaspersky. “Safe to say this is the ultimate level of anonymity that any cyber espionage group has reached in terms of hiding its origins.”
The Ouroboros satellite hack exploits the fact that most downstream commercial satellite communications — those being sent from satellites back to earth — are unencrypted, and so can be spoofed.
The process, according to Kaspersky, follows a number of steps.
First, the Ouroboros malware sends out a request for instructions. Whereas ordinarily such a request would go straight to a command and control server — and thus be traceable — Ouroboros instead sends the request to an unwitting decoy server, which has been selected because the hackers have identified it as a satellite communications user.
The request from Ouroboros is then automatically routed via a commercial satellite and beamed to earth towards the location of the decoy.
Once the decoy server receives the request for instructions, it discards it, because the request is meaningless to it.
But the satellite will have beamed the request over a large geographical area. A hidden receiver anywhere in the area, planted by Ouroboros’ operators, can then pick up the unencrypted request. The receiver then issues a reply to Ouroboros, disguised as a communication returning from the decoy.
Any defender looking to trace communications from Ouroboros back to its controllers will thus lose their trace from the point at which the data becomes a signal beamed from a satellite, effectively breaking any direct digital link.
Ouroboros’ handlers appear to favour satellite operators in the Middle East and Africa, Kaspersky’s report said. Depending on the size of the receiving dish they have in place, the area counter-intelligence investigators would have to search for the Ouroboros receivers could be tens of thousands of square kilometres.
“The receivers do not necessarily cost much themselves but finding a physical location for these indicates that there is some kind of extensive logistical support network,” Mr Tanase said. Such operations point to a state intelligence service, he added.
Western security officials have previously told the Financial Times they believe Ouroboros to be a Russian operation — a fact supported by the group’s targets and clues in the coding of the malware itself.
Satellite operators are meanwhile powerless to prevent the hackers from routing requests through their networks — at least for the next few years. The only other way to do so, experts note, would be for them to encrypt all of their downstream communications — a process that would require the launch of entirely new satellite arrays.