Hacker groups linked to Russian spy agencies are using Internet of Things (IoT) devices, such as internet-connected phones and printers, to break into corporate networks, Microsoft announced.
The groups, which use names like Strontium, Fancy Bear, and APT28, are linked to the Russian military intelligence agency (GRU). They have been active since at least 2007 and are accused of carrying out a long list of other acts, including the 2016 Democratic National Committee raid, the 2017 NotPetya crippling attacks on Ukraine, and the targeting of political groups in Europe and North America. throughout 2018.
Attacks occur through devices connected to the “Internet of Things” (IoT), including VOIP (voice over IP) phones, connected office printers, and video decoders, in order to gain access to corporate networks. Microsoft has great visibility into the world’s corporate networks because many organizations are using Windows machines, and the company’s threat intelligence center says it had already identified the Fancy Bear group’s new work since April 2019.
In several cases, Microsoft has seen Fancy Bear gain access to target networks because the IoT devices were installed with default passwords. In other cases, security updates were not applied. Using these devices as a starting point, the hackers established a beachhead and sought additional access.
“Once the bad guys had successfully established themselves and gained access, a simple network scan to look for other insecure devices allowed them to discover and move around the network in search of higher-privilege accounts that would grant access to higher-value data,” Microsoft said in a blog post.
Hackers moved from device to device, establishing persistence and mapping the network as they went along, communicating with command and control servers all the time.