Russian government hackers used office technology to try to breach privileged accounts

Written by

Early this spring, Russian government-linked hackers used three popular internet of things devices with weak security to access several Microsoft customers’ networks, then tried infiltrating more privileged accounts, researchers announced Monday.

The company’s Threat Intelligence center said the Strontium group, also known as APT28 and Fancy Bear, leveraged weak security in an office printer, video decoders and a voice over IP (VOIP) phone to access wider systems. The attacks occurred as recently as April, Microsoft said, adding that hackers used insecure IoT devices as a means to attempt to break into valuable accounts where they would have found more sensitive data.

Microsoft disclosed neither the affected devices, nor which of its customers were impacted.

“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” Microsoft researchers wrote in their findings, which are scheduled to be presented this week at the Black Hat security conference in Las Vegas.

The attack

This only is the latest example of Russian hackers targeting innocuous connected devices. Strontium is the same group that was behind the VPNfilter attacks that targeted 500,000 networked devices in 2018. Strontium was also behind the Democratic National Committee hack of 2016.

In two cases, the IoT devices had not had their passwords changed from the default manufacturer credentials. In one case, the customer had not run the latest security update for the device.

While the motive behind the attacks remains unclear, IoT devices did not appear to be the ultimate target. After gaining access to those office products, hackers scanned the networks for other insecure devices that could provide them access to more accounts with more privileges and data.

The group ran the packet analyzer known as tcpdump to analyze network traffic on local subnets, attempted to gain a listing of administrative groups to run further exploits, and had devices communicating with an external command-and-control server, according to the researchers.

To establish persistence on the network, Strontium dropped simple shell scripts as the hackers hopped from device to device, allowing them to keep the campaign alive.

IoT warnings are coming true

This incident highlights the widespread security issues IoT devices introduce not only into the private sector, but also in the government.

Often, IoT manufacturers stop releasing patches or fail to release them at all, the National Institute of Standards and Technology, warned in a research paper released earlier this summer. NIST warned that as government agencies increasingly incorporate internet-connected devices in day-to-day operations, it will become more difficult for them to patch vulnerabilities.

Microsoft researchers caution that this kind of attack vector will likely only grow in years to come — by next year IoT device usage is expected to grow to 50 billion connected devices, according to Ericsson, Cisco, and others.

The public has already learned what can happen when IoT vulnerabilities get exploited.

In 2016 the Mirai botnet coopted internet-connected devices in homes, such as routers, to launch distributed denial-of-service attacks against major companies, including Twitter and Slack. One year later, an amateur hacker tried to run a copycat Mirai campaign, according to Check Point research. Then, another variant of Mirai was used in an IoT botnet attack last year that took down banks and government agencies in the Netherlands, according to Recorded Future.

“These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments,” researchers wrote.