Russian cyber spies using satellites to hide attacks

Russian cyber spies are using satellites to hide their digital espionage work, according to new research.

The tactic is a clever and novel way to make it difficult to identify the origin of digital intrusion efforts, said Kaspersky Lab researchers.


The group behind the scheme, Turla, has been operating for nearly a decade. According to a Kaspersky report on Turla last year, the Russian-speaking team has infiltrated more than 500 government agencies and military targets in at least 45 countries, including the United States.

Now Kaspersky has noticed a unique strategy that is helping the squad remain undetected.

Essentially, Turla is routing their cyberattacks through satellites. This means that even if discovered, investigators will trace the attack back to a remote satellite location, not the computer from which it was launched.

“What makes the Turla group especially dangerous and difficult to catch is not just the complexity of its tools, but the exquisite satellite-based command-and-control (C&C) mechanism implemented in the final stages of the attack,” said Kaspersky researcher Alex Drozhzhin in a Wednesday blog post.

The command-and-control center is both the base of a cyberattack and how investigators most often uncover nefarious actors.

“It’s the weakest link in malicious infrastructure,” Drozhzhin explained.

“That’s why threat actors are always trying to hide C&C as deep as possible,” he added. “The Turla group has found quite effective way to do it: they conceal servers’ IPs in the sky.”

The group mostly exploits satellite Internet providers located in Middle East or African countries, such as the Congo, Lebanon, Libya, Niger, Nigeria, Somalia and the United Arab Emirates, further obfuscating an attack’s origin.

Turla has used its scheme to infiltrate embassies, universities and pharmaceutical companies, as well as government agencies.

The U.S. government has been struggling to keep out Russian hackers. In the past year, it’s believed Moscow-backed hackers have infiltrated the State Department, White House and Pentagon’s email systems.