Just ahead of Black Hat 2019, Microsoft has reported that in April its Threat Intelligence Center discovered a targeted attack against IoT devices—a VOIP phone, a printer and a video decoder. The attack hit multiple locations, using the devices as soft access points into wider corporate networks. Two of the three devices still carried factory security settings, the software on the third hadn’t been updated.
Microsoft attributed the attack to a group of Russian hackers called Strontium. The group also goes by the name Fancy Bear. And it is most commonly known as APT28. A week ago, the same state-sponsored hacking group was linked to the hacking of the secure email accounts of researchers investigating crimes alleged to have been committed by the Russian state—including the downing of MH17 and the Skripal poisonings.
Russia’s APT28 is believed to be controlled by the GRU military intelligence. According to the cybersecurity researchers at Crowd Strike, APT28 has now “targeted victims in multiple sectors across the globe—because of its extensive operations against defense ministries and other military victims—its profile closely mirrors the strategic interests of the Russian government.”
Microsoft reported that in the last year, it has “delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by Strontium.” Around 20% of those attacks were targeting non-governmental or politically affiliated organizations. The rest targeted the highest-profile sectors for state-sponsored attacks: government, defense, technology, medicine and engineering.
Just days ago, I reported that security researchers at Armis had disclosed multiple zero-day vulnerabilities in VxWorks, the operating system that powers more than 2 billion IoT devices around the world. As I said at the time, given the anticipated growth in the number of IoT devices, this should hammer home the seriousness of the risk, and how easily this scale of devices can be exposed.
The VxWorks disclosure impacted ostensibly low-risk devices, printers, firewalls, medical equipment. But the risk was that those devices would provide access points into corporate networks, rendering network security layers useless.
It hasn’t taken long for that message to be reinforced. “IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight,” Microsoft pointed out in their blog. “In most cases however, the customers’ IT operation center don’t know they exist on the network.”
But exist they do, and in this instance “they became points of ingress from which the actor established a presence on the network and continued looking for further access. Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network—dropping a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control server.”
The VxWorks disclosure was a warning shot. It should be a pretty obvious point. If devices are plugged into a corporate network and can see the outside world they become vulnerabilities. If your IT department doesn’t know they exist then they’re not patched and maintained, those endpoints become your easiest points of entry. And now we’re talking state-sponsored attacks—now we’re sitting at the grown-ups’ table.
Microsoft says it is making the disclosure to “raise awareness of these risks across the industry and calling for better enterprise integration of IoT devices—today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined.”
I concluded the VxWorks report by asking “what other critical vulnerabilities exist within other commonplace industrial IoT systems—perhaps in aerospace and defense, in critical infrastructure, in energy and resources?”