Azure IoT Background Microsoft Official

Microsoft has revealed a group of Russian hackers conducted an attack earlier this year that targeted organizations through IoT hardware. The company’s Threat Intelligence Center says the coordinated campaign focused on charities, political groups, and government agencies through connected hardware.

Devices around the globe are increasingly becoming interconnected through the Internet of Things. While being able to connect to devices throughout the home or workplace, IoT has also created a huge attack surface for hackers to target.

Microsoft Threat Intelligence Center says the Russian-based hacks started in April. They were likely conducted by the group known as Fancy Bear (also called Strontium). You may remember the group has been significant in supporting the Russian government with hacks such as against the Democratic National Committee in 2016.

Fancy Bear is thought to have deep links with Russian military intelligence (GRU). The group also perpetrated the NotPetya ransomware attack in 2018.

IoT Attack

In a blog post, Microsoft says the latest attack on IoT targeted connected devices that would typically be outside security nets, such as printers. Specifically, Fancy Bear focused on attacking VOIP phones, office printers, and video decoders. These devices are often connected to the internet but don’t usually have up-to-date security.

Microsoft was able to uncover the attack because it has so many services running on corporate networks, such as Windows. The company says 1,400 intrusions were found in the IoT network:

“These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” Microsoft says. “Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.  After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets.”

80 percent of the attacks were targeting military, technology companies, and government agencies. Only 20 percent of attacks were focused on non-government organizations.