STRONTIUM APT group compromises IoT devices to infiltrate enterprise networks

• Microsoft Threat Intelligence Center attributed the attacks to the STRONTIUM APT group, also known as APT28 and Fancy Bear.
• The compromised IoT devices include VOIP phone, office printer, and video decoder.

Microsoft security researchers have observed that a Russian-base cyber-espionage group compromises IoT devices to infiltrate corporate networks.

What was compromised?

Microsoft Threat Intelligence Center attributed the attacks to the STRONTIUM APT group, also known as APT28 and Fancy Bear.

• Microsoft researchers said that they observed the threat group compromising IoT devices in April 2019.
• The compromised IoT devices include VOIP phone, office printer, and video decoder.

A detailed picture

The researchers noted that the threat group compromises IoT devices in order to gain access to corporate networks. In two of the cases observed by them, the passwords for the IoT devices were deployed without changing the default manufacturer's passwords and in the third instance, the latest security update had not been applied to the device.

• Upon compromising corporate IoT devices, the threat group would use them to compromise other vulnerable machines within the network with simple scans.
• This would enable them to move across the network, thereby gaining access to higher-privileged accounts.
• While the threat group moves from one device to another, they would drop a simple shell script to establish persistence on the network which allowed further exploitation.
• However, the researchers were unable to determine the end goal of these corporate intrusions as these attacks were blocked by Microsoft in the early stages.

“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting,” researchers explained.