The rise of poorly secured Internet of Things (IoT) devices has made it possible for attackers to gain access to targets of interest. Nation-states, spies, mercenaries, and others don’t need to dress up as repairmen to plant bugs in rooms anymore; they can just hack into a room that has vulnerable IoT devices.

In May, the CIA admitted their agents were being tracked by technology, so they had to adopt new tactics to ensure they stayed under cover.1 This practice has likely been going on behind the scenes for years. Russia has been compromising global network infrastructure, including small office/home office (SOHO) routers and switches to spy on adversaries and maintain persistent access for future operations. Attacking technology infrastructure to spy and collect data is not a new attack type. Nefarious attackers learn from nation-state APTs and attempt to follow in their footsteps.

In June, we published a story about a spike in Russian attack traffic towards Singapore during Trump’s meeting with Kim Jung-Un. Following that story, we (F5 Labs in partnership with Loryka) decided to follow Trump’s travel schedule to see if attacks followed him, as we expected they would. If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage.

On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker.

The attacks launched from China came from networks that are commonly in our top 10 attacking networks list. It’s also interesting to note the change in ports and protocols that were attacked. Between the Singapore and Finland attacks, some common protocols were targeted, such as SIP port 5060 that VoIP phones and video conferencing systems use (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland attacks, #3 in Singapore attacks), and Telnet port 23, often used for remote administration of IoT devices (#3 in Finland attacks, #9 in Singapore attacks). However, SSH port 22 was the number 1 attacked port followed by SMB port 445 in the Finland attacks. SSH is often used by IoT devices for “secure” remote administration. The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks. Other ports and protocols targeted in the Finland attacks that we did not see in the Singapore attacks include HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Trendline in the Attacks Against Finland

Finland is not typically a top attacked country; it receives a small number of attacks on a regular basis. Figure 1 shows the trendline of attacks before the Trump-Putin meeting. Starting on July 12, 2018, attacks towards Finland spiked, the majority of which were brute force attacks against SSH port 22 (see attacked ports below).