Microsoft Says Russia’s Strontium Behind IoT Hacks


Russian state-sponsored hackers linked to GRU, identified by Microsoft as attacking IoT devices

Russian hackers have been identified by security experts at Microsoft as being behind a series of attacks on IoT devices.

Microsoft’s Threat Intelligence Center said in a blog posting that the Russian state-linked hackers were Strontium.

The Strontium hackers are also known as the Fancy Bear group, or alternatively ‘APT28′ and are closely linked to the Russian military intelligence agency, the GRU.

Russian special forces © Darren Baker, Shutterstock 2012

Strontium hackers

Microsoft has tangled with Russia’s Strontium before.

In August 2018 Redmond foiled the Fancy Bear cyber attack that was targeting US conservative groups including the International Republican Institute and the Hudson Institute think tanks.

It did this when Microsoft security staff gained control of six net domains mimicking their websites.

But in this latest attack however, Strontium attacked three IoT devices (a VoIP phone, an office printer, and a video decoder) across multiple locations.

“In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices,” blogged Microsoft. “Further research uncovered attempts by the actor to compromise popular IoT devices (a VoIP phone, an office printer, and a video decoder) across multiple customer locations.”

“The investigation uncovered that an actor had used these devices to gain initial access to corporate networks,” said Redmond. “In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device.”

These IoT devices gave the Russian hackers an entry point into corporate networks, where they “continued looking for further access.”

“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets,” said Redmond. “ They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.”

And Microsoft lost little time in identifying the hackers.

“We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as Strontium,” it wrote.

Microsoft said that it has delivered nearly 1,400 nation-state notifications to those who have been targeted or compromised by Strontium. And it said that one in five notifications of Strontium activity was tied to attacks against non-governmental organisations, think tanks, or politically affiliated organizations around the world.

“The remaining 80 percent of Strontium attacks have largely targeted organisations in the following sectors: government, IT, military, defense, medicine, education, and engineering,” said Microsoft. We have also observed and notified Strontium attacks against Olympic organising committees, anti-doping agencies, and the hospitality industry. The “VPN Filter” malware has also been attributed to Strontium by the FBI.”

Russian attacks

The Army General Curtis Scaparrotti, who served as NATO’s Supreme Allied Commander in Europe, last year slammed the ability of the United States to effectively combat Russia’s cyber threats, whilst he was speaking to a US Senate Armed Services Committee hearing.

He said that the US government did not have an effective unified approach to deal with Russia’s cyber threat.

This is despite the fact that US officials and US intelligence agencies have repeatedly warned that Russia is seeking to interfere in US elections, either via social media (to spread fake news, misleading reports or propaganda) or plain old hacking attacks.

The Fancy Bear group is best known for hacking the Democratic National Convention (DNC) and releasing sensitive documents including internal emails ahead of the 2016 US presidential election.