State-sponsored cyber spies targeting IoT - a warning from Microsoft

Jerry Bowles Profile picture for user jbowles August 12, 2019
IoT devices are the latest to be targeted by black hat hackers. Are you prepared?


Cyber spies are breaking into large enterprises through IoT devices that IT departments may not know exist on the network.

Keeping track of the deluge of IoT devices being connected to enterprise networks and making sure they are updated and protected is not the most exciting job in IT. But, it is fast becoming one of the most important because, as Microsoft notes, the number of deployed IoT devices already outnumbers the population of personal computers and mobile phones, combined, and is growing exponentially daily. 

State-sponsored actors have taken notice of such IoT vulnerabilities as default passwords, outdated protocols, the absence of encryption, incorrect configurations and unpatched devices to get in the backdoor of enterprise networks.

Many sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. With such a rapid expansion of an enterprise’s potential attack surface, it would seem obvious that such devices had to be identifiable, maintained, and monitored by security teams, especially in large complex enterprises.  

Apparently, it is not that obvious. Warned Eric Doerr, general manager of the Microsoft Security Response Center:

IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight. Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates. In most cases however, the customers’ IT operation center don’t know they exist on the network.

That is clearly an invitation for an enterprising hacker group to get into the network undetected and wreak havoc.

A case in point

Back in April, Microsoft security researchers observed the infamous Russian-backed hacking group STRONTIUM (also known as Fancy Bear or APT28) compromising popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations.  This is the group previously connected to a several of the best-known cyber-espionage campaigns targeting governments around the world, including the Democratic National Committee hack ahead of the 2016 US Presidential Election. 

Breaking in via IoT devices was incredibly simple. In two of the instances analyzed by Microsoft's research team the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied.

Once the hackers successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.  After gaining access to each of the IoT devices, STRONTIUM ran tcpdump to sniff network traffic on local subnets. They were also observed sniffing administrative groups to attempt further exploitation. As Doerr explained:

They would drop a shell script on each of the devices that got compromised in the attacks, allowing them to have an upstream of information being delivered to their command and control (C2) servers and to maintain persistence within the network and providing them with prolonged access to keep their "hunting" active. 

Microsoft says that over the last twelve months, it has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM. One in five notifications of STRONTIUM activity was tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world.

The rest of the STRONTIUM notifications delivered by Microsoft to their clients have had as a target a wide range of government, IT, military, defense, medicine, Olympic organizing committees, anti-doping agencies, hospitality, education, and engineering entities from all over the world.

Although the attacks were attributed to the STRONTIUM, Microsoft's researchers were unable to determine the end goal of these corporate intrusions because they were all detected within the early stages.

The same Strontium (APT 28) group was blamed for running a campaign last year that exploited hundreds of thousands of home and small business networking and storage devices to plant the so-called “VPN Filter” malware.

This is not the first time that insecure IoT devices have also been exploited by cybercriminals.  In 2016 IP cameras and basic home routers were infected with the Mirai malware, creating a botnet that was subsequently abused to take out DNS provider Dyn in an attack that left many high-profile websites inaccessible.

12 steps to beat IoT attacks?

Microsoft says there are many things companies can do to reduce an attack on their networks via IoT devices.  Among them: 

  1. Require approval and cataloging of any IoT devices running in your corporate environment.
  2. Develop a custom security policy for each IoT device.
  3. Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
  4. Use a separate network for IoT devices if feasible.
  5. Conduct routine configuration/patch audits against deployed IoT devices.
  6. Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
  7. Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
  8. Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
  9. Audit any identities and credentials that have authorized access to IoT devices, users and processes.
  10. Centralize asset/configuration/patch management if feasible.
  11. If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
  12. Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.

Said Eric Doerr:

A lot of enterprise security efforts these days is focused on preventing hardware implants—sneaky code or capabilities that are baked into hardware--but cyberattackers are happy to exploit simpler configuration and security issues to achieve their objectives. 

 My take

We should always be careful whenever a vendor talks about threats. The spread of FUD is a well-worn path to drive enterprise sales. But on this topic, Microsoft is right to warn about the dangers. They're not the first and I suspect they won't be the last. It is, for instance, no coincidence that national governments are wary about who builds the network components that will hook up billions of devices operating across 5G networks. 

We have clearly entered an era when nation-states increasingly rely on cyberattacks as a means for both collecting and extracting intelligence, either to influence geopolitics or to achieve other, often economic objectives. Microsoft said in July that it has alerted around 10,000 of its customers in the past year of being either targeted or compromised by nation-state sponsored hacking groups.  

The burgeoning and loosely guarded IoT landscape is clearly a target with vulnerabilities that need hardening by all organization—especially those with large global networks. IoT is transforming businesses in every industry and is powering breakthrough innovations but realizing the full potential of what IoT can deliver will require the technology industry to address the security challenges head-on.   

A grey colored placeholder image