Russian state hackers use IOT-devices to hack into enterprise networks

According to Microsoft’s Threat Intelligence Center, a Russian state-sponsored hacker group uses hacked IoT devices to penetrate enterprise networks. From there they focus their arrows on more valuable targets.

The attacks are carried out by a group called the Threat Intelligence Center Strontium, writes ZDNet. This group is better known as APT28 or Fancy Bear. The latter group was responsible for the hack on the American Democratic Party in 2016.

Microsoft employees discovered in April this year that Strontium was trying to compromise popular IoT devices across multiple customer locations. For example, the group tried to operate a VoIP phone, an office printer and a video decoder.

The investigation revealed that someone had used these devices to access business networks. In two of the cases, the manufacturer’s default passwords for the devices had not been changed, and in a third case, the latest security update for the device had not been deployed.

Further attack

The hackers used the attacked IoT devices as an access point to their target’s internal networks. They then scanned for other vulnerable systems to increase their presence.

As the hackers moved from one device to another, they left a simple shell script to establish persistence on the network, making it possible to stay longer present to hunt, according to Microsoft.

The company says it detected and blocked the attacks at an early stage. As a result, the researchers were unable to determine what Strontium was trying to steal from the compromised networks.

Previous attacks

In the past, Strontium has already gone after IoT-devices on a number of occasions. In the past, for example, the group created a botnet of tens of thousands of routers via the VPNF filter malware.

Microsoft plans to release more information this week about the Strontium attacks in April. The company does this during the Black Hat USA 2019 security conference in Las Vegas.