Microsoft observes Russian hackers actively attacking businesses through IoT devices

Fancy Bear

Microsoft has said a high-profile Russian state-sponsored hacking group is actively attacking businesses through internet of things (IoT) devices.

The Redmond-based tech giant attributed the observed attacks to a group called STRONTIUM, also known as APT28 or Fancy Bear - the same group behind the cyber attack on the 2018 Winter Olympics in Pyeongchang.

Three separate IoT devices were used in the spotted attacks including a VOIP phone, an office printer and video decoder - they acted as entry points for the attackers to establish a foothold on the victims' networks.

Affected businesses spanned "multiple customer locations" according to Microsoft. After establishing the initial foothold, "a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data".

The IoT devices were compromised using easily preventable methods on the customer's part - examples of poor security practices that have been widely condemned by the industry.

In two cases, Microsoft note, the IoT device's default passwords had not been changed which made for easy access for hackers with basic knowledge of the device. Changing IoT device default passwords is standard industry practice but all too often the simple security procedure is overlooked.

In another instance, a victim organisation hadn't kept the device's firmware up to date which meant the attackers could exploit vulnerabilities that were probably patched in the device's latest update.

"While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives," said Microsoft. "These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments."

These two security errors highlight common industry malpractice regarding IoT devices; issues that could be easily prevented if the customer made security a priority. But James Slaby, director of cyber protection at Acronis, noted the blame shouldn't always be on the customer.

"IoT devices both for industrial and consumer applications have already demonstrated very little focus on cybersecurity," he said. "The reasons are simple: device manufacturers are financially incented by their investors to get their products to market as cheaply and as quickly as possible.

"Little thought is being given to architecting security into their products, and many devices are not capable of receiving patches or other updates to close vulnerabilities once they have been publicly identified," Slaby added. "They bear none of the costs of cyberattacks, so have little reason to spend on improving device security."

The Fancy Bear group has pulled off some other high-profile hacks in years gone by, including a role played in the 2016 hacking of the American presidential election.

In September 2018 Fancy Bear was accused of using rootkit malware to hack and assume control of government systems. It also exposed a document in 2017 showing which professional footballers were cleared to use banned medicines during the 2010 World Cup.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.