{
	"id": "0b6ae650-eaa1-451a-aa52-7433ff885fc0",
	"created_at": "2026-04-06T00:17:47.219778Z",
	"updated_at": "2026-04-10T03:37:55.961423Z",
	"deleted_at": null,
	"sha1_hash": "bad33db3e1d047251448300badfe81a6fa31eda5",
	"title": "Turla APT Group Abusing Satellite Internet Links",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 777136,
	"plain_text": "Turla APT Group Abusing Satellite Internet Links\r\nBy Michael Mimoso\r\nPublished: 2015-09-09 · Archived: 2026-04-05 14:20:56 UTC\r\nResearchers at Kaspersky Lab have revealed that the Turla APT gang is using satellite-based Internet links to hide\r\ncommand-and-control activities.\r\nPoorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla\r\nAPT group, to hide command-and-control operations, researchers at Kaspersky Lab said today.\r\nActive for close to a decade, Turla’s activities were exposed last year; the Russian-speaking gang has carried out\r\nespionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as\r\ngovernment agencies, diplomatic and military targets, and others.\r\nIts use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving\r\nmalware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those\r\nconnections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.\r\n“Once an IP address that is routed through the satellite’s downstream link is identified, the attackers start listening\r\nfor packets coming from the internet to this specific IP,” the researchers wrote. “When such a packet is identified,\r\nhttps://threatpost.com/turla-apt-group-abusing-satellite-internet-links/114586/\r\nPage 1 of 4\n\nfor instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the\r\nsource using a conventional Internet line.”\r\nThe victim, meanwhile, is none the wiser because the link ignores the packet because it’s going to an\r\nunconventional port.\r\n“There is an important observation to make here,” the researchers wrote. “Normally, if a packet hits a closed port,\r\na RST or FIN packet will be sent back to the source to indicate that there is nothing expecting the packet.\r\nHowever, for slow links, firewalls are recommended and used to simply DROP packets to closed ports. This\r\ncreates an opportunity for abuse.”\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nAbuse of satellite links is not solely the domain of Turla. HackingTeam command and control servers, for\r\nexample, were found to be using such links to mask operations, as were links traced to Rocket Kitten and\r\nXumuxu, two APT groups that are government-backed or have governments as customers, Kaspersky said.\r\nKaspersky speculates that APT groups turn to satellite-based Internet links for C\u0026C for a number of reasons,\r\nincluding as a countermeasure against botnet takedowns by law enforcement and ISPs, which open an avenue for\r\nresearchers to determine who is behind an operation. Using these satellite links, however, is not without its risks to\r\nthe attacker.\r\n“On the one hand, it’s valuable because the true location and hardware of the C\u0026C server cannot be easily\r\ndetermined or physically seized. Satellite-based Internet receivers can be located anywhere within the area\r\ncovered by a satellite, and this is generally quite large,” the researchers wrote. “The method used by the Turla\r\ngroup to hijack the downstream links is highly anonymous and does not require a valid satellite Internet\r\nsubscription. On the other hand, the disadvantage comes from the fact that satellite-based Internet is slow and can\r\nbe unstable.”\r\nRather than buy expensive subscriptions to the satellite-based links or hack an ISP with a man-in-the-middle\r\nattack at the router level in order to hijack streams, Turla’s approach is much cheaper and keeps the attackers\r\nanonymous, Kaspersky said. They instead hijack satellite DVB-S links—similar research was presented at Black\r\nhttps://threatpost.com/turla-apt-group-abusing-satellite-internet-links/114586/\r\nPage 2 of 4\n\nHat in 2010—that requires minimal equipment including a satellite dish, a low-noise block downconverter, a\r\ndedicated DVB-S tuner on a PCIe card made by TBS Technologies, and a Linux PC.\r\n“The TBS card is particularly well-suited to this task because it has dedicated Linux kernel drivers and supports a\r\nfunction known as a brute-force scan which allows wide-frequency ranges to be tested for interesting signals,” the\r\nresearchers wrote. “Of course, other PCI or PCIe cards might work as well, while, in general the USB-based cards\r\nare relatively poor and should be avoided.”\r\nThe group behind Turla has been abusing DVB-S (digital video broadcasting-satellite) Internet providers in the\r\nMiddle East and Africa, locations where their satellite beams do not cover Europe or Asia, steering them clear of\r\nmany security researchers. Kaspersky published a long list of command and control servers resolving to satellite-based ISPs in its report, calling out one in particular falling into the range of Germany’s IABG mbH. The IP\r\naddress is encrypted in the C\u0026C server, which is a Turla backdoor called Agent.DNE compiled in 2007.\r\n“Of course, for logistical reasons it is more straightforward to rely on bullet-proof hosting, multiple proxy levels\r\nor hacked websites, but this method provides an unmatched level of anonymity,” the researchers wrote. “In truth,\r\nthe Turla group has been known to use all these other techniques as well, making it for a very versatile, dynamic\r\nand flexible cyber-espionage operations.”\r\nLast August, researchers at Kaspersky exposed many of Turla’s traditional hacking activities, including the use of\r\nwatering hole attacks and spear phishing to initially compromise victims with the Snake or Uroburos backdoor.\r\nThe Epic Turla campaign also used at least two zero-day exploits at the time, giving the hackers privilege\r\nescalation on Windows machines and code execution via an Adobe Reader vulnerability. There were also exploits\r\nagainst a number of patched vulnerabilities.\r\nhttps://threatpost.com/turla-apt-group-abusing-satellite-internet-links/114586/\r\nPage 3 of 4\n\nSource: https://threatpost.com/turla-apt-group-abusing-satellite-internet-links/114586/\r\nhttps://threatpost.com/turla-apt-group-abusing-satellite-internet-links/114586/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/turla-apt-group-abusing-satellite-internet-links/114586/"
	],
	"report_names": [
		"114586"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b0261705-df2e-4156-9839-16314250f88a",
			"created_at": "2023-01-06T13:46:38.373617Z",
			"updated_at": "2026-04-10T02:00:02.947842Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Operation Woolen-Goldfish",
				"Thamar Reservoir",
				"Timberworm",
				"TEMP.Beanie",
				"Operation Woolen Goldfish"
			],
			"source_name": "MISPGALAXY:Rocket Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e034b94b-9655-42c4-a72e-a58807dce299",
			"created_at": "2022-10-25T16:07:24.133537Z",
			"updated_at": "2026-04-10T02:00:04.876832Z",
			"deleted_at": null,
			"main_name": "Rocket Kitten",
			"aliases": [
				"Group 83",
				"NewsBeef",
				"Newscaster",
				"Operation Newscaster",
				"Operation Woolen-GoldFish",
				"Parastoo",
				"Rocket Kitten"
			],
			"source_name": "ETDA:Rocket Kitten",
			"tools": [
				"CoreImpact (Modified)",
				"FireMalv",
				"Ghole",
				"Gholee"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8faa11f5-2a14-479c-9ea8-3779e6de9749",
			"created_at": "2022-10-25T15:50:23.814205Z",
			"updated_at": "2026-04-10T02:00:05.308465Z",
			"deleted_at": null,
			"main_name": "Ajax Security Team",
			"aliases": [
				"Ajax Security Team",
				"Operation Woolen-Goldfish",
				"AjaxTM",
				"Rocket Kitten",
				"Flying Kitten",
				"Operation Saffron Rose"
			],
			"source_name": "MITRE:Ajax Security Team",
			"tools": [
				"sqlmap",
				"Havij"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434667,
	"ts_updated_at": 1775792275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bad33db3e1d047251448300badfe81a6fa31eda5.pdf",
		"text": "https://archive.orkl.eu/bad33db3e1d047251448300badfe81a6fa31eda5.txt",
		"img": "https://archive.orkl.eu/bad33db3e1d047251448300badfe81a6fa31eda5.jpg"
	}
}