KasperskyLab: Russian hackers and Brazilian attack of satellites used by ships and aircraft.
February 9, 2016
SOURCE:
Kaspersky Lab, a Russian company specializing in technologies and computer security services, reveals the existence of a real commercial network, based in Brazil, which since 2005 spreads the software clandestinely (“toolkit”) necessary to conduct cyber-attack campaigns and industrial espionage against companies. The Poseidon malware, this is the name of the organization, is able to access the very diversified communication channels, including practical satellites used for navigation support at sea. Unfortunately, the vulnerability of satellite links for infrastructure such as Iridium or Inmarsat have long been known. In 2014, the IOActive company had distributed a detailed whitepaper explaining the weaknesses of so-called “satcom”. In the case of maritime services, the risks are real, potentially may suffer very serious cyber attacks ships and dangers is not unique to the communication channels but also navigation devices and communication systems, the malware changes into command centers and other control attacks. On his blog Securlist and business.kaspersky.com channel, Kaspersky provides some explanation about the attacks for “hijacking” of the satellite link.
During a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks. The networks abused were designed for internet communications with ships at sea which span a greater geographical area at nearly global scale, while providing nearly no security for their downlinks.
Kaspersky Lab experts reveals that they’re achieving this using a trick known as satlink hijacking – a technique this Russian-speaking group has been using since 2007. It involves exploiting the vulnerability of asynchronous satellite internet connections to sniff traffic, distilling the IP addresses of satellite subscribers. All the attackers need then is to set up their servers with the same IPs, configure these addresses into their malware and, after a successful infection, wait for its call for C&C.
What happens next: the satellite broadcasts the request from an infected machine over the whole area of its coverage. Of course, both attackers and law-abiding subscribers receive this request. But, unlike the attackers’ servers, subscriber systems are extremely unlikely to host any services on particular ports – and this traffic is simply dropped without acknowledgement, as this would increase the burden on the thin cellular upstream channel used in such asynchronous data links. After receiving the malware call, the C&C answers via regular fast landline with a spoofed acknowledgement, which appears to be coming from the same hapless satlink subscriber.
Reporter: R/O Pasquale DE CEGLIA -IK7TVE