Fancy Bear attackers return using hacked IoT devices

(Image credit: Image Credit: Melpomene / Shutterstock)

A well-known Russia-sponsored hacking group used vulnerable Internet of Things (IoT) devices as entry points into high-value targets, using them as stepping stones as they tried to expand their reach, security experts are warning.

Security researchers from Microsoft's Threat Intelligence Centre said they spotted APT28, also known as Fancy Bear or Strontium, trying to break into a VOIP phone, an office printer, and a video decoder. In some cases, the default login credentials were never changed, making the job that much easier for the hackers.

"The investigation uncovered that an actor had used these devices to gain initial access to corporate networks," the Redmond-based company said. "In two of the cases, the passwords for the devices were deployed without changing the default manufacturer's passwords and in the third instance the latest security update had not been applied to the device."

These IoT devices, however, were not their end goal. They were merely used as a way into the network, when they’d conduct further scans for vulnerable systems.

"After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets," Microsoft said.

"They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting," the OS maker added.

Microsoft said the attacks were prevented in their earlier stages, so it’s hard to determine what the hackers were going for.