Meet Turla, The Russian Hacking Group Using Commercial Satellites To Spy On US, Europe

Russian hackers are using commercial satellites to tap into sensitive data from diplomatic and military agencies in the United States and Europe. The hackers, known as Turla, are also manipulating the satellites to cover up their location, according to a report released Wednesday from cybersecurity firm Kaspersky Lab in Moscow.

Turla, which is named after the malicious software it uses, has targeted diplomatic and military targets in the United States, Europe, Middle East and Central Asia for eight years to gain political and strategic intelligence through unprecedented methods. Some have compared it with another Russian hacker group that is believed to have hacked the State Department, White House and Pentagon earlier this year. The Pentagon attack covered 4,000 military and civilian personnel working for the Joint Chiefs of Staff, and shut down the network for two weeks in July.

“For us, it was very surprising,” Stefan Tanase, senior security researcher at Kaspersky Lab, said to the Washington Post about the satellite hackers. “This is the first group that we believe has done it. It allows you to achieve a much greater level of anonymity.”

The Turla malware was created by a “sophisticated Russian-government-affiliated” hacker group that “we call Venomous Bear,” said Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, an Irvine, California-based cybersecurity technology firm. Finland said last year its Foreign Ministry computer systems had been hit by a Turla attack but would not elaborate.

Turla obtains sensitive data by planting malicious software on a website that its target frequents. When the target opens the site, Turla can gain control of the user’s computer. Turla most often uses satellite Internet connections in Middle Eastern and African countries to avoid law enforcement.

“[This technique] essentially makes it impossible for someone to shut down or see their command servers,” Tanase said. “No matter how many levels of proxies you use to hide your server, investigators who are persistent enough can reach the final IP address. It’s just a matter of time until you get discovered. But by using this satellite link, it’s almost impossible to get discovered.”