The guys from Kaspersky have done a great job on explaining how the TURLA APT used satellites as their command and control systems.
But, the main question which we all have is how the [email protected]#[email protected] did the threat actors behind the TURLA APT gain access to the satellites.
The infographic from Securelist claims that the following scenario would be plausible:
- Infected system calls “decoy” satellite subscriber.
- The Satellite broadcasts the call over the whole area which it is able to cover.
3a. The “decoy” system drops the invalid request, claiming that it does not have such an port and service to answer the call of the satellite.
3b . The C&C pretending to be the “decoy” user accepts the call
- The C&C answers via the landline while hiding itself as a “decoy” system.
- The malware on the infected hosts upload harvested data to the command and control server.