Russian hacking group STRONTIUM attacking corporate IoT devices, Microsoft says

A state-backed Russian hacking group, dubbed STRONTIUM, has been attacking corporate IoT devices, according to a blog post recounting the finds of researchers at Microsoft Threat Intelligence Center.

In April, the researchers “discovered infrastructure of a known adversary communicating to several external devices as well as “attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations,” the Microsoft Security Response Center post noted. “The investigation uncovered that an actor had used these devices to gain initial access to corporate networks” and in two instances, their passwords “were deployed without changing the default manufacturer’s passwords” while in a “third instance the latest security update had not been applied to the device.”

The hacker used the devices to establish a network presence and search for additional access. “Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data,” Microsoft said.  

Once the IoT devices were accessed, the hackers “ran tcpdump to sniff network traffic on local subnets” and were observed “enumerating administrative groups to attempt further exploitation,” dropping a simple shell script to establish persistence on the network, as they moved from one device to the next.

The devices also were in communications with an external command and control (C2) server.

Although Microsoft researchers were able to attribute the attacks to STRONTIUM, because identification was made early on, they “have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.”

Steve Durbin, managing director of the Information Security Forum, said “Organizations are adopting smart devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers.”

As well as using “default usernames and passwords, most IoT devices are shipped to consumers and enterprise with out-of-date, unsecure software that is never updated by manufacturers,” said Chris Morales, head of security analytics at Vectra. “IoT devices are trivial to access with no regulations or guiding principles mandating how secure they should be.”

Because the devices were created without security in mind but rather “to provide and process information at the lowest possible cost,” Durbin said, they pose a risk to organizations. “By maintaining an open connection to the individual’s home computer, a device which may, in turn, be connected to an employer’s network, it offers intruders a portal to inflicting damage that goes well beyond the owner’s home devices,” he said.

“In addition to default usernames and passwords, most IoT devices are shipped to consumers and enterprise with out-of-date, unsecure software that is never updated by manufacturers,” said Chris Morales, head of security analytics at Vectra. “IoT devices are trivial to access with no regulations or guiding principles mandating how secure they should be.”

As recent threat activities show and as published in this latest Microsoft report, IoT attacks are real and here for the long term. Large-scale DDoS attacks, the original use of IoT botnets, are difficult to combat for even the largest, most prepared businesses. It is important to be a good Internet citizen (change those passwords!), but more importantly, don't fall victim to your own camera.

Morales said it presents “an even greater danger is when IoT devices start snooping around corporate networks and can pivot to more critical systems as indicated in the Microsoft research report” with networked IoT devices like “printers, cameras and even advanced devices like MRI scanners [posing] “an alarming cybersecurity risk.”