Russians, Fancy Bears, and IoT Security

by | Aug 15, 2019

During the 2019 Black Hat conference in Las Vegas, Nevada there was a massive announcement from Microsoft generating a lot of buzz. Their discovery? A malicious Russian hacker group has been targeting common IoT devices. Their goal? Widespread attacks on corporate networks using these standard devices that have been overlooked as possible threats for so long. 

Microsoft reported that in April there were attacks carried out by the hacker group who refers to themselves as Strontium, also known as Fancy Bear or APT28. The group continued to grow and be an active threat to security since 2007. 

Internet of Things (IoT) Devices Are Most Vulnerable 

Strontium has been targeting common IoT devices such as VOIP phones and printers. By gaining access to these devices that still have their default password such as “password” and “admin,” yet connect to networks that can become infiltrated using these simple devices. This gives the ability to gain access to corporate systems and work their way through to more sensitive information. Industries affected include think tanks, politically affiliated organizations, military, education, and healthcare, to name a few. The main aim of the hacker group and targets have yet to be determined.

We sat down with ReFirm Labs co-founders, Terry Dunlap, and Peter Eacman to discuss their thoughts on the recent announcement from Microsoft. 

Here is what they had to say: 

Question: On a scale of 1 to 10 (with 10 being the most serious), how worried should people be about these kinds of attacks on IoT devices? 

Terry Dunlap: “This is a 10, no doubt. IoT security is the most pressing issue in cyber-security today. The most vulnerable? Connected devices. They are susceptible to attacks because of flaws and vulnerabilities in firmware.” 

“As a commonly unprotected surface, foreign and domestic hackers alike love to exploit firmware vulnerabilities — think hidden backdoors and unauthenticated access — to carry out malicious acts. It takes just one firmware weakness for bad actors to gain access to an IoT device and then use that attack surface to compromise the integrity of an entire network.”

Peter Eacmen: “It depends entirely on your risk profile — although the average person largely doesn’t care because this won’t have a direct impact, enterprises should pay very close attention to the implications for these attacks. As Terry said, the warning sign for enterprises is blinking red. Companies need to take notice… fast.” 


Question: In this case, did the attackers find a new way into IoT devices? 

Terry Dunlap: “These attacks weren’t novel or particularly clever at all. Nor were they very sophisticated. Attackers took advantage of default usernames and passwords, which are very easy to guess. Sometimes, they used outdated firmware with well-known vulnerabilities. Elementary stuff. ” 

Peter Eacmen: “By all indications, if the targeted organizations had put minimal effort into securing their IoT devices, this attack would never have been possible. This is a case of winning more than half the battle by being aware of the potential threats.” 


Question: What enterprises are most at risk for IoT attackers? 

Terry Dunlap: “Any enterprise that does not have complete visibility into the many IoT devices plugged into their networks and that are public-facing is most at risk for an IoT attack.”

Peter Eacmen: “Any company that deploys IoT without regard for basic security practices is at high risk for an attack like the one Microsoft uncovered. Consider every unsecured IoT device to be an unlocked front door to your network. ” 


Question: Which kinds of IoT devices are most susceptible to attacks, in your experience?

Terry Dunlap: “In our work at ReFirm Labs, we find a lot of suspect stuff in surveillance cameras, WiFi routers and printers, especially in tech products coming from China.” 

Peter Eacmen: “Any device that is remotely accessible over the internet is a legitimate target for attackers. Remember, the goal is not to attack the IoT device itself, but to use it as a jumping-off point for malicious behavior. This can include DDoS attacks, malware distribution, spamming/phishing, and credit card theft.”


Question: If an enterprise takes just one or two measures today to defend from this kind of attack, what should they be? Moreover, how much would these steps cost?

Terry Dunlap: “Step one: Compile an inventory of IoT devices on your network. Step two: Upgrade the firmware on your IoT devices and change the default passwords. Both are inexpensive to do.”

Peter Eacmen: “I agree with Terry. Having a clear picture of IoT deployments in your network and making sure all your IoT devices have been updated from the original factory install, and default factory settings are the best two, immediate steps to take.”


ReFirm Labs IoT And Firmware Analysis Can Help

Peter and Terry both previously worked at the National Security Agency (NSA) as Global Network Vulnerability Analysts before co-founding ReFirm Labs, an industry-leading group focused on implementing programs to help corporations vet, validate, and continuously monitor the security of the firmware which runs billions of Internet of Things (IoT), consumer electronics, and connected enterprise machines used in offices all around the world.

The ReFirm Lab team is dedicated to keeping all aspects of enterprises secure, including IoT devices. Contact us today and learn how we can help you ensure there are no hidden vulnerabilities to your firmware and sensitive information. Contact us here! 


Recent Posts
D-Link: A Firmware Vulnerability – Part 2

D-Link: A Firmware Vulnerability – Part 2

Exploit Identification Turn Up the Technical In part one of the Vulnerability assessment we talked about choosing a target, downloading the firmware, and submitting it to Centrifuge which was pretty simple. Centrifuge provided a lot of useful information about the...

D-Link: A Firmware Vulnerability – Part 1

D-Link: A Firmware Vulnerability – Part 1

Have you ever wanted to be like the super l33t hax0rs that you see in the movies? Sitting in a dark room pounding away randomly on a keyboard with the only light coming from the screen in front of you? The silence only broken by you saying “I’m in.”? Then this is the...

Do We Need to Watch the Eyes Watching Us?

Do We Need to Watch the Eyes Watching Us?

On May 21, 2019 the New York Times reported that the Trump Administration is considering a limit on Hikvision’s ability to buy American technology. Hikvision is one of the world’s largest surveillance camera manufacturers and is 42% owned by the Chinese...