Russian hackers targeting IoT devices to penetrate corporate networks, warns Microsoft

IoT devices the 'soft underbelly' of corporate networks by Russia's Fancy Bear hackers, targeting VoIP phones and printers

A hacking group linked to the Russian state has been observed targeting Internet-of-things (IoT) devices in a bid to breach secure corporate networks.

Microsoft claimed in a blog post that its Threat Intelligence Centre detected multiple attempts from Russia-linked Strontium group - also known as 'Fancy Bear' - in April to target VoIP phones, digital video recorders and printers. Hackers tried to attack IoT devices at multiple locations and attempted to use those devices as soft points to gain entry into larger corporate networks.

In two cases, the devices carried factory security settings, such as default passwords, making for easy entry. In a third case, the device was found to be using outdated firmware with known vulnerabilities

After gaining access to the devices, the attackers used them to compromise other vulnerable devices/machines on the network. Some simple scans enabled them to move across the network and gain access to "higher-privileged accounts that would grant access to higher-value data".

They executed 'tcpdump' to discover network traffic on local subnets. They were also observed trying to identify admin groups.

According to Microsoft, all those attacks were blocked in their early stages, so its security specialists have no idea exactly what the threat actors were targeting or trying to steal from the organisations' compromised networks.

"Upon conclusion of our investigation, we shared this information with the manufacturers of the specific devices involved and they have used this event to explore new protections in their products," Microsoft warned.

"However, there is a need for broader focus across IoT in general, both from security teams at organisations that need to be more aware of these types of threats, as well as from IoT device makers who need to provide better enterprise support and monitoring capabilities to make it easier for security teams to defend their networks," it added.

Strontium group - also known as the APT28, as well as Fancy Bear - is a state-sponsored hacking group thought to be controlled by the Russian military intelligence agency GRU.

The group is linked with a multitude of cyber-espionage campaigns targeting government agencies and private organisations around the world.

Last week, security researchers associated APT28 with the hacking of the email accounts of investigators who were probing crimes connected to the Russian state, including the Skripal poisonings and the downing of Malaysian Airlines flight MH17 over Ukraine in 2014.

In 2018, the FBI concluded that APT28 was responsible for infecting more than 500,000 consumer-grade routers in more than 50 countries.

The group is also linked with the hacking of the Democratic National Committee (in 2016) and France's TV5 Monde TV station, among others.

In April last year, Germany also blamed the APT28 group for launching a cyber attack on Germany's foreign ministry. The attack was uncovered in December 2017.