Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Russian Hackers Leverage IoT Devices to Access Corporate Networks

IoT Devices Used as Points of Ingress for Hackers to Establish a Presence on Corporate Network 

IoT Devices Used as Points of Ingress for Hackers to Establish a Presence on Corporate Network 

An infamous Russia-linked cyber-espionage group has been attempting to compromise organizations through insecure Internet of Things (IoT) devices, Microsoft reports.

Known as Sednit, APT28, Pawn Storm, Fancy Bear, and Strontium, the threat actor is believed to be sponsored by Russia’s GRU intelligence agency, and has been associated with high-profile attacks such as the DNC hack before the 2016 U.S. elections and the targeting of Ukraine and NATO countries. 

The adversary is also said to have targeted democratic institutions in Europe between September and December 2018 and to have infiltrated Germany’s foreign and interior ministries’ online networks.

Now, Microsoft reveals that Sednit has been observed attempting to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) to gain initial access to corporate networks. 

The cyberspies targeted devices at multiple locations within the same organization’s network, exploiting the fact that two of the devices were deployed without changing the default manufacturer’s passwords, and that the third device did not have the latest security updates installed. 

“These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” Microsoft explains

Next, the actor scanned the network to discover other insecure devices and move laterally, in an attempt to find higher-privileged accounts that would provide access to higher-value data. The actor ran tcpdump to sniff network traffic on local subnets and enumerated administrative groups to attempt further exploitation. 

While moving to new devices, the hackers would also drop a simple shell script to establish persistence and extend access to continue hunting. The devices were also observed communicating with an external command and control (C&C) server.

Microsoft attributes the attacks on these three popular IoT devices to STRONTIUM, but says that it hasn’t been able to conclusively determine what the actor’s ultimate objectives were, as the attacks were identified in their early stages. 

The tech giant also reveals that, over the past twelve months alone, it has sent nearly 1400 nation-state notifications to entities targeted or compromised by this threat actor. 

“One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering,” Microsoft notes. 

Olympic organizing committees, anti-doping agencies, and the hospitality industry were also targeted by the cyber-espionage group, and the FBI attributed the “VPN Filter” malware to this threat actor as well. 

With the number of attacks targeting IoT devices increasing rapidly and with tens of billions of such products expected to hit the market in the next couple of years, it is important to raise awareness on the risks associated with IoT, especially if devices are deployed without being properly secured. 

“Today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined. With each networked IoT device having its own separate network stack, it’s quite easy to see the need for better enterprise management, especially in today’s “bring your own device” world,” Microsoft notes. 

Related: Microsoft Says Russian Hackers Targeted Democratic Institutions in Europe

Related: Organizations Lack Confidence in Securing IoT, Survey Shows

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Australia's Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...