Russian Hackers Leverage IoT Devices to Access Corporate Networks

IoT Devices Used as Points of Ingress for Hackers to Establish a Presence on Corporate Network 

An infamous Russia-linked cyber-espionage group has been attempting to compromise organizations through insecure Internet of Things (IoT) devices, Microsoft reports.

Known as Sednit, APT28, Pawn Storm, Fancy Bear, and Strontium, the threat actor is believed to be sponsored by Russia’s GRU intelligence agency, and has been associated with high-profile attacks such as the DNC hack before the 2016 U.S. elections and the targeting of Ukraine and NATO countries. 

The adversary is also said to have targeted democratic institutions in Europe between September and December 2018 and to have infiltrated Germany’s foreign and interior ministries’ online networks.

Now, Microsoft reveals that Sednit has been observed attempting to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) to gain initial access to corporate networks. 

The cyberspies targeted devices at multiple locations within the same organization’s network, exploiting the fact that two of the devices were deployed without changing the default manufacturer’s passwords, and that the third device did not have the latest security updates installed. 

“These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” Microsoft explains. 

Next, the actor scanned the network to discover other insecure devices and move laterally, in an attempt to find higher-privileged accounts that would provide access to higher-value data. The actor ran tcpdump to sniff network traffic on local subnets and enumerated administrative groups to attempt further exploitation. 

While moving to new devices, the hackers would also drop a simple shell script to establish persistence and extend access to continue hunting. The devices were also observed communicating with an external command and control (C&C) server.

Microsoft attributes the attacks on these three popular IoT devices to STRONTIUM, but says that it hasn’t been able to conclusively determine what the actor’s ultimate objectives were, as the attacks were identified in their early stages. 

The tech giant also reveals that, over the past twelve months alone, it has sent nearly 1400 nation-state notifications to entities targeted or compromised by this threat actor. 

“One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering,” Microsoft notes. 

Olympic organizing committees, anti-doping agencies, and the hospitality industry were also targeted by the cyber-espionage group, and the FBI attributed the “VPN Filter” malware to this threat actor as well. 

With the number of attacks targeting IoT devices increasing rapidly and with tens of billions of such products expected to hit the market in the next couple of years, it is important to raise awareness on the risks associated with IoT, especially if devices are deployed without being properly secured. 

“Today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined. With each networked IoT device having its own separate network stack, it’s quite easy to see the need for better enterprise management, especially in today’s “bring your own device” world,” Microsoft notes. 

Related: Microsoft Says Russian Hackers Targeted Democratic Institutions in Europe

Related: Organizations Lack Confidence in Securing IoT, Survey Shows