An uncharacteristic spate of strikes against IoT devices in Finland during the summit was likely an indicator of a coordinated cyberespionage effort, researchers said.

Cyberattackers, unsurprisingly, appear to be interested in Donald Trump as an intelligence target – as evidenced by an uncharacteristic spate of strikes against IoT devices in Finland during the American president’s summit there with Russia’s Vladimir Putin.

According to researchers, the uptick was likely an indicator of a coordinated cyberespionage effort emanating from Chinese actors, bent on gathering intelligence about what was said in the meetings between the two leaders and their staffs. Hackers attacked a protocol used for IoT devices that could be turned on to listen in on private meetings, and as many of these devices still use factory settings (which often include usernames that are the name of the manufacturer or software provider), this can be an effective way to gain control over poorly secured access points.

“The rise of poorly secured IoT devices has made it possible for attackers to gain access to targets of interest,” said F5 researchers, in a posting Thursday on the findings. “Nation-states, spies, mercenaries and others don’t need to dress up as repairmen to plant bugs in rooms anymore; they can just hack into a room that has vulnerable IoT devices.”

On July 16, Trump met with the Russian president in Helsinki, the Finnish capital. An analysis of global malicious traffic by F5 uncovered that attacks against IoT targets in Finland saw a significant uptick in the days before the meeting.

“Finland is not typically a top attacked country; it receives a small number of attacks on a regular basis,” said the researchers. “Aside from the attacks on 7/12 and 7/14, Finland doesn’t even register on the chart [of most-attacked nations].”

Starting on July 12, several protocols were targeted, such as SIP port 5060, which VoIP phones and videoconferencing systems use; SQL port 1433; and Telnet port 23, often used for remote administration of IoT devices.

However, brute-force attacks against SSH port 22 especially skyrocketed far above the baseline for the Nordic country, accounting for half of the offensives. This is likely due to the fact that device credentials are typically vendor defaults and, as such, are routinely brute-forced.

“IoT devices are moving to SSH for remote administration because it’s more secure than Telnet—although ‘protecting’ with default admin credentials doesn’t secure anything,” the researchers said.

F5 was able to determine that China was the top attacker, with ChinaNet leading the way; across the board, the attacks came from Chinese networks that are commonly in the firm’s top 10 attacking networks list. Researchers were unsure, however, if any of the efforts were successful.

This is not the first Trump-related IoT campaign: There was also a spike in IoT attacks during his meeting with North Korean leader Kim Jung-Un in June – this time with Russia actors in the driver’s seat, accounting for 88 percent of the attacks according to F5.

“Russia has been compromising global network infrastructure, including small office/home office (SOHO) routers and switches, to spy on adversaries and maintain persistent access for future operations,” the F5 researchers said. “Attacking technology infrastructure to spy and collect data is not a new attack type. Nefarious attackers learn from nation-state APTs and attempt to follow in their footsteps … Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage.”