New Hacking Campaign Targets Corporates

New Hacking Campaign Targets Corporates

Photo illust
hackers

This post is also available in: heעברית (Hebrew)

The growing network of the internet of things (IoT) can make life more convenient by automating your home and delivering data wherever you are. However, all those internet-connected devices can also provide a massive attack surface for online criminals. 

The printer, camera, or decoder that leave a door open for a hacker to exploit. 

Microsoft announced that a group of hackers linked to Russian spy agencies are using IoT devices like internet-connected phones and printers to break into corporate networks. The Russian hackers, who go by names like Strontium, Fancy Bear, and APT28, are linked to the military intelligence agency GRU. 

The group has been active since at least 2007. They are credited with a long list of infamous work including breaking into the Democratic National Committee in 2016, the crippling NotPetya attacks against Ukraine in 2017, and targeting political groups in Europe and North America throughout 2018, according to technologyreview.com.

The new campaign compromised popular internet of things devices including a VOIP (voice over internet protocol) phone, a connected office printer, and a video decoder in order to gain access to corporate networks. Microsoft’s Threat Intelligence Center spotted Fancy Bear’s new work starting in April 2019.

In multiple cases, Microsoft saw Fancy Bear get access to targeted networks because the IoT devices were deployed with default passwords. In another case, the latest security update was not applied. Using those devices as a starting point, the hackers established a beachhead and looked for further access. 

“Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data,” Microsoft warned in a blog post. 

The hackers moved from one device to another, establishing persistence and mapping the network as they went, communicating with command and control servers all the while.