It's supposedly part of the Turla malware system, which was already suspected of being a state sponsored system.
However, I think there are many ways to mask origin. I wonder if this particular approach is intended so it becomes difficult to even shut down the botnet's C&C.
[speculation]Using a fixed domain or ip-address for C&C let's authorities seize it and even a sequence you can predict might be predicted by someone else. This can broadcast its presence to an arbitrarily chosen IP address of the class of those going out to the satellite receivers and the C&C can filter all the traffic for this "I am here" message and can then conventionally communicate to the box - making blocking or spoof the C&C harder. [/speculation]
However, I think there are many ways to mask origin. I wonder if this particular approach is intended so it becomes difficult to even shut down the botnet's C&C.
[speculation]Using a fixed domain or ip-address for C&C let's authorities seize it and even a sequence you can predict might be predicted by someone else. This can broadcast its presence to an arbitrarily chosen IP address of the class of those going out to the satellite receivers and the C&C can filter all the traffic for this "I am here" message and can then conventionally communicate to the box - making blocking or spoof the C&C harder. [/speculation]