skip to Main Content

Cyber Espionage, APT28 leaverages IoT to access corporate networks

Cyber Espionage, APT28 Leaverages IoT To Access Corporate Networks

Microsoft: Russian APT28 hackers attempted to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) to gain initial access to corporate networks

Russian APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, STRONTIUM, and Sednit) hackers attempted to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) to gain initial access to corporate networks. It has been discovered by Microsoft cyber security experts. The cyber espionage group targeted devices at multiple locations within the same organization’s network, exploiting the fact that two of them were deployed without changing the default manufacturer’s passwords, and that the third device did not have the latest security updates installed. The attacks were identified in the early stages, so the researchers have not been able to conclusively determine what APT’s ultimate objectives were in these intrusions. 

How the cyber espionage group (aka Fancy Bear, Pawn Storm, Sofacy Group, STRONTIUM, and Sednit) worked on IoT

Microsoft explained that the devices became points of ingress from which APT28 established a presence on the network and continued looking for further access. Once the cyber espionage group successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.  After gaining access to each of the IoT devices, STRONTIUM ran tcpdump to sniff network traffic on local subnets. The Russian hackers were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.

The cyber attacks campaign of APT28 in the last 12 months according to the cyber security experts

According to the cyber security experts, in the last twelve months Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM. One in five activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80% argely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering. We have also observed and notified APT28 attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry.  The “VPN Filter” malware has also been attributed to STRONTIUM by the FBI.

Back To Top