Microsoft Says Russia’s Strontium Behind IoT Hacks

Russian hackers have been identified by security experts at Microsoft as being behind a series of attacks on IoT devices.

Microsoft’s Threat Intelligence Center said in a blog posting that the Russian state-linked hackers were Strontium.

The Strontium hackers are also known as the Fancy Bear group, or alternatively ‘APT28′ and are closely linked to the Russian military intelligence agency, the GRU.

Strontium hackers

Microsoft has tangled with Russia’s Strontium before.

In August 2018 Redmond foiled the Fancy Bear cyber attack that was targeting US conservative groups including the International Republican Institute and the Hudson Institute think tanks.

It did this when Microsoft security staff gained control of six net domains mimicking their websites.

But in this latest attack however, Strontium attacked three IoT devices (a VoIP phone, an office printer, and a video decoder) across multiple locations.

“In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices,” blogged Microsoft. “Further research uncovered attempts by the actor to compromise popular IoT devices (a VoIP phone, an office printer, and a video decoder) across multiple customer locations.”

“The investigation uncovered that an actor had used these devices to gain initial access to corporate networks,” said Redmond. “In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device.”

These IoT devices gave the Russian hackers an entry point into corporate networks, where they “continued looking for further access.”

“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets,” said Redmond. “ They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.”

And Microsoft lost little time in identifying the hackers.

“We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as Strontium,” it wrote.

Microsoft said that it has delivered nearly 1,400 nation-state notifications to those who have been targeted or compromised by Strontium. And it said that one in five notifications of Strontium activity was tied to attacks against non-governmental organisations, think tanks, or politically affiliated organizations around the world.

“The remaining 80 percent of Strontium attacks have largely targeted organisations in the following sectors: government, IT, military, defense, medicine, education, and engineering,” said Microsoft. We have also observed and notified Strontium attacks against Olympic organising committees, anti-doping agencies, and the hospitality industry. The “VPN Filter” malware has also been attributed to Strontium by the FBI.”

Russian attacks

The Army General Curtis Scaparrotti, who served as NATO’s Supreme Allied Commander in Europe, last year slammed the ability of the United States to effectively combat Russia’s cyber threats, whilst he was speaking to a US Senate Armed Services Committee hearing.

He said that the US government did not have an effective unified approach to deal with Russia’s cyber threat.

This is despite the fact that US officials and US intelligence agencies have repeatedly warned that Russia is seeking to interfere in US elections, either via social media (to spread fake news, misleading reports or propaganda) or plain old hacking attacks.

The Fancy Bear group is best known for hacking the Democratic National Convention (DNC) and releasing sensitive documents including internal emails ahead of the 2016 US presidential election.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago