Microsoft’s Threat Intelligence Centre reports that Russian hacker Fancy Bear has been trying to infiltrate corporate networks using IoT devices such as VoIP phones and printers.
Fancy Bear, AKA Strontium Group, AKA APT28, is a state-sponsored hacking group, which is suspected to be controlled by Russian Military Intelligence agency GOV.
The group have been successful in infecting over 500,000 consumer-grade routers, across over 50 different countries.
In April, the hackers attempted to target IoT devices in companies, intending to use the devices as “soft points”, to easily gain entry to larger, more secure corporate networks.
In two of the three incidents, the devices carried factory settings with default passwords; and in the final case, the device used outdated firmware, which has known vulnerabilities.
After they gained access, they then went on to further compromise other vulnerable devices on the network.
Using simple scans, the group then moved across the network in order to gain access to “higher-privileged accounts, that would grant access to higher-value data.”
The cyber-criminals executed “tcpdump” to discover network traffic on local subnets.
IoT risk must be taken seriously. For a preview of the talk @edoerr is giving Thursday, see our guest blog from MSTIC, describing early-stage detection of attacks leveraging common IoT devices. https://t.co/2TIlz1TUly #MSFTatBlackHat
— Security Response (@msftsecresponse) August 5, 2019
Fortunately, the attacks were swiftly nipped in the bud. Microsoft still remains oblivious to what the hackers hoped to steal:
Upon conclusion of our investigation, we shared this information with the manufacturers of the specific devices involved and they have used this event to explore new protections in their products
However, there is a need for broader focus across IoT in general, both from security teams at organisations that need to be more aware of these types of threats, as well as from IoT device makers who need to provide better enterprise support and monitoring capabilities to make it easier for security teams to defend their networks.
The same group has also been linked with the hacking of the Democratic National Committee, France’s TV5 Monde station, Germany’s foreign ministry.
More significantly, security researchers discovered that they hacked the email accounts of investigators who were probing crimes related to the Russian state, including the Skripal poisonings and the downing of Malaysian Airlines flight MH17.
The attempted attacks serve as a warning call to companies to tighten up the security of IoT devices, so subsequent attacks won’t be so easy to carry out.