Microsoft’s Threat Intelligence Center Reports APT28 aka Fancy Bear is Hacking Common IoT Devices to Breach Corporate IT Networks
Microsoft’s Threat Intelligence Center (MSTIC) reported that Russia’s GRU Military Intelligence Service is using poorly secured Internet of Things (IoT) devices as an entry point to compromise corporate IT networks. The breaches are attributed to a Russian state-sponsored hacking group, APT28. The Advanced Persistent Threat group, also known as Fancy Bear or Strontium, is the hacking group responsible for VPN Filter malware.
The hacking group attempts to compromise and communicate with IoT devices. Three insecure devices, voice-over-IP phones, office printers, and video decoder hardware were successfully hacked at multiple corporate locations. Once access was gained through these low-level devices, APT28 dropped malware that seeks out higher-level access on the network they are connected to.
In the past year, MSTIC sent almost 1400 notifications to companies that were targeted or compromised by Fancy Bear during state-sponsored cyber attacks. Twenty percent of the attacks targeted non-governmental organizations like think tanks and politically affiliated organizations. Eighty percent of Strontium’s attacks targeted governmental organizations, the IT industry, militaries, defense companies, medical sector, educational institutions, and engineering firms. Strontium’s even attacked Olympic organizing committees, anti-doping agencies, and the hospitality industry.
The compromised IoT devices are used to breach corporate networks and seek high-value data or access. Once network access is gained through an insecure device, hackers can scan for other insecure devices and sub-networks. The goal of the attacks is most likely access to higher-level corporate networks, corporate emails, privileged admin accounts, or sensitive data.
According to Microsoft, “After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.”
What are IoT Devices?
The phrase Internet of Things, called IoT for short, refers to any internet connected device like printers, smart TVs, connected vehicles, printers, appliances, and lighting systems. Basically, IoT devices that make our lives easier or get things done for us. IoT devices are by design, easy to connect to the internet which is also what makes them an appealing target for hackers. Many corporate IT admins may not even know which devices have been brought in by employees and connected to their networks.
The Microsoft post cites that there will be an estimated 50 billion IoT devices in the world by the year 2020. Even now, the number of IoT devices online exceeds the number of personal computers and smartphones combined.
Poorly Secured Devices Make It Easy for Hackers
At least two of the cyber attacks were successful because the device owner did not change the manufacturer’s default password after connecting the device to the internet. A third device was not kept updated with the latest security patches.
Some IoT devices communicate basic telemetry back to the manufacturer or have a connection that allows it to receive software updates. Therefore they maintained and monitored for suspicious activity.
How to Secure IoT Devices
IoT devices are intentionally easy to connect to networks, making them especially vulnerable to hackers. Often, corporate sysAdmins are unaware a device has been connected to their network by an employee. Advanced Persistent Threat Groups and other hackers can take advantage of vulnerable electronic devices to gain higher-level access to a corporate network.
- Require approval to connect all IoT devices to a corporate network
- Record the presence of all devices
- Limit exposure to critical networks by isolating IoT device access to the internet
- Isolate IoT device access to public internet
- Use a separate corporate network for connected devices
- Monitor IoT device for abnormal activity or communications
- Change the manufacturer’s default username and password
- Maintain all electronic devices, smartphones, laptops, printers, etc… by keeping them updated with security patches. When possible, allow them to accept security patches automatically
See more cyber security tips on the Microsoft post about Strontium cyber attacks.