This is breaking news. A few hours ago, it has been noted publically that Microsoft has caught IOT Russian Hackers that have been using IOT devices to penetrate and breach many system securities. From sources nearby, one of Russian Elite State-Sponsored hacking groups is said to be making use of IOT devices to manipulate corporate networks, through which they gain access to other more high-value targets.
These stiffly skilled IOT Russian Hackers were assumed to be working for the Russian government and it is claimed that they were using printers, video decoders, and other IOT devices with an advanced couple of skills to penetrate targeted computer networks, as stated by Microsoft officials on Monday this week.
Contents
Who are these IOT Russian Hackers group?
This group of IOT Russian Hackers has been identified as Strontium as well commonly known as APT28 or Fancy Bear and previously it has involved in the DNC hack of 2016, and which, according to an indictment filed in 2018 by US officials, has been identified as Unit 26165 and Unit 74455 of the Russian military intelligence agency GRU.
What is IoT?
IOT is short for Internet of Things. The Internet of Things refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled-devices and systems.
Your phone Could be a spy, Ten Facts
How These IOT Russian Hackers got Access
Officials with the Microsoft Threat Intelligence Center wrote in a post that the IOT devices became points of ingress from which the actor established a presence on the network and continued looking for further access. Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data like was the main goal of these IOT Russian Hackers.
After gaining access to each of the IOT devices, the actor ran tcp-dump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt to further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server assumed to be owned by Russian Hackers
It is noted that Microsoft researchers discovered the attacks in April when a voice-over-IP phone, an office printer, and a video decoder in multiple customer locations were communicating with the servers that belonged to Strontium. In the second cases, the passwords for the devices were still the same as those the devices were shipped with.
In the third instance, it was noticed that the IOT devices were running an old firmware version with lots of bugs and vulnerabilities and Microsoft officials had concluded that Fancy Bear (IOT Russian hackers) was behind the attack but failed to find what their primary objective was.
How do they know they are Russian?
It’s not a factor one can base on to draw conclusions, but generally APT groups are assigned a country based on metadata. The typical Slashdot reader pretty much assumes that Google, Facebook, etc. can build almost complete profiles of individuals, and it’s the same process here only applied to coding groups.
Individually, things like snippets of code that have been reused, IPs used, hosting providers used, crypto wallets used, etc. might not be very strong evidence, but when you have a combination of several of those with strong links to given groups, you can start putting a case together. This is what Microsoft Officials based on in conclusion that the incident involved IOT Russian hackers.
If you can gain visibility of C2 server traffic or a private chat area, then get lucky with some bad OpSec then it’s not unheard of for researchers to identify things like specific individuals or IPs assigned directly to government intelligence agencies.
Other Hacking Cases through IOT Devices
It’s not the first time Strontium (IOT Russian hackers) is using such a hacking tactic in their malicious activities. Fancy Bear as it is publically referred to recently created a botnet of tens of thousands of home routers using VPNFilter malware. Reports suggest that Strontium had planned to use the botnet to launch DDoS attacks on the night of the UEFA Champions League final that was going to be held in Kyiv, Ukraine that year.
Apart from Strontium, there are other well known state-sponsored hacking groups that have started targeting IOT devices, and primarily routers. Examples include the LuckyMouse, FrameWork, Inception, and Slingshot groups.
Microsoft plans to reveal more information about the Strontium April 2019 attacks later this week at the black hot USA 2019 security conference. This Microsoft report about these recent attacks suggests a compromise of property such as IP addresses of the Strontium command and control (C&C) servers, which organizations might want to block on their networks.