Microsoft finds Russia-linked attacks exploiting IoT devices
Default passwords, unpatched devices, poor inventory of IoT gear led to exploits by STRONTIUM
7 August 2019 | 0
The STRONTIUM hacking group, which has been strongly linked by security researchers to Russia’s GRU military intelligence agency, was responsible for an IoT-based attack on unnamed Microsoft customers, according to the company. a blog post from the company’s security response centre.
Microsoft said in the blog that the attack, which it discovered in April, targeted three specific Internet of Things (IoT) devices – a VoIP phone, a video decoder and a printer (the company declined to specify the brands) – and used them to gain access to unspecified corporate networks. Two of the devices were compromised because nobody had changed the manufacturer’s default password, and the other one hadn’t had the latest security patch applied.
Devices compromised in this way acted as back doors to secured networks, allowing the attackers to freely scan those networks for further vulnerabilities, access additional systems, and gain more and more information. The attackers were also seen investigating administrative groups on compromised networks, in an attempt to gain still more access, as well as analysing local subnet traffic for additional data.
STRONTIUM, which has also been referred to as Fancy Bear, Pawn Storm, Sofacy and APT28, is thought to be behind a host of malicious cyber-activity undertaken on behalf of the Russian government, including the 2016 hack of the Democratic National Committee, attacks on the World Anti-Doping Agency, the targeting of journalists investigating the shoot-down of Malaysia Airlines Flight 17 over Ukraine, sending death threats to the wives of US military personnel under a false flag and much more.
According to an indictment released in July 2018 by the office of Special Counsel Robert Mueller, the architects of the STRONTIUM attacks are a group of Russian military officers, all of whom are wanted by the FBI in connection with those crimes.
Microsoft notifies customers that it discovers are attacked by nation-states and has delivered about 1,400 such notifications related to STRONTIUM over the past 12 months. Most of those – four in five – went to organisations in the government, military, defence, IT, medicine, education and engineering sectors, and the remainder were for NGOs, think-tanks and other “politically affiliated organisations,” Microsoft said.
The heart of the vulnerability, according to the Microsoft team, was a lack of full awareness by institutions of all the devices running on their networks. They recommended, among other things, cataloguing all IoT devices running in a corporate environment, implementing custom security policies for each device, walling off IoT devices on their own separate networks wherever practical, and performing regular patch and configuration audits on IoT gadgets.
IDG News Service