A Russian-backed hacking group was observed by Microsoft security researchers while compromising popular IoT devices to gain a foothold within several corporate networks.

The attacks detected by researchers at the Microsoft Threat Intelligence Center were attributed to the APT group STRONTIUM (also known as Fancy Bear or APT28), previously connected to a multitude of cyber-espionage campaigns targeting governments around the world, including the Democratic National Committee hack ahead of the 2016 US Presidential Election.

"In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices," says Microsoft's report.

"Further research uncovered attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations."

IoT risk must be taken seriously. For a preview of the talk @edoerr is giving Thursday, see our guest blog from MSTIC, describing early-stage detection of attacks leveraging common IoT devices. https://t.co/2TIlz1TUly #MSFTatBlackHat — Security Response (@msftsecresponse) August 5, 2019

IoT devices used as points of ingress

The threat actors took advantage of these compromised devices to infiltrate the corporate networks they were attacking and, in two of the instances analyzed by Microsoft's research team the "passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device."

After successfully hacking the corporate IoT devices, the attackers would use them to get compromise other vulnerable machines within the network with simple scans making it possible for them to move across the network, gaining access to "higher-privileged accounts that would grant access to higher-value data."

The hackers used the tcpdump packet analyzer to sniff the network traffic on the local network to find for extra info on their next targets and enumerated administrative groups for further network exploitation.

A shell script was also dropped on each of the devices that got compromised in the attacks, allowing the STRONTIUM actors to have an upstream of information being delivered to their command and control (C2) servers and to maintain persistence within the network and providing them with prolonged access to keep their "hunting" active.

Network persistence script

End goal of attacks not yet known

Even though the attacks were attributed to the STRONTIUM cyberespionage group, Microsoft's researchers were unable to determine the end goal of these corporate intrusions because they were all detected within the early stages.

"Over the last twelve months, Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM," adds Microsoft. "One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world."

The rest of 80% of STRONTIUM notifications delivered by Microsoft to their clients have had as a target a wide range of government, IT, military, defense, medicine, Olympic organizing committees, anti-doping agencies, hospitality, education, and engineering entities from all over the world.

This report's importance is even more evident considering that, as explained by Microsoft, "the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined."

Microsoft said on July 18 that it alerted around 10,000 of its customers in the past year of being either targeted or compromised by various nation-state sponsored hacking groups.

These numbers show the dependence of nation-states on cyber attacks as the means for both collection and extracting intelligence, as well as for influencing geopolitics or achieve various other objectives.

The Microsoft Threat Intelligence Center provides a series of indicators of compromise (IOCs) as detected while observing and analyzing the presented STRONTIUM activity, including C2 IP addresses and the full script used to maintain persistence within their targets' corporate networks.

This is just one of the several campaigns Microsoft's Eric Doerr will showcase on August 8, as part of his The Enemy Within: Modern Supply Chain Attacks talk at this year's Black Hat computer security conference.