• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Cyber warfare
  • Hacking
  • Internet of Things
  • Russia-linked STRONTIUM APT targets IoT devices to hack corporate networks

Russia-linked STRONTIUM APT targets IoT devices to hack corporate networks

Pierluigi Paganini August 06, 2019

The STRONTIUM Russia-linked APT group is compromising common IoT devices to gain access to several corporate networks.

Researchers at Microsoft observed the Russia-linked APT group STRONTIUM abusing IoT devices to gain access to several corporate networks.

The STRONTIUM APT group (aka APT28, Fancy Bear, Pawn Storm, Sofacy Group, and Sednit) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

Now experts at Microsoft observed the group attempting to compromise popular IoT devices such as VOIP phones, office printers, and video decoders to access the network of target oganizations.

“In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices.” reads the analysis published by Microsoft. “Further research uncovered attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. The investigation uncovered that an actor had used these devices to gain initial access to corporate networks.”

IoT risk must be taken seriously. For a preview of the talk @edoerr is giving Thursday, see our guest blog from MSTIC, describing early-stage detection of attacks leveraging common IoT devices. https://t.co/2TIlz1TUly #MSFTatBlackHat

— Security Response (@msftsecresponse) August 5, 2019

In two attacks observed by Microsoft, attackers exploited default settings of the IoT devices (unchanged default password) in a third case the hacked device was not running an updated software.

Once the attackers have compromised an IoT device within the corporate network, they will use it as an entry point and will use it to attempt lateral movements.

“Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.” continues Microsoft. “After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation.”

The STRONTIUM hackers used the tcpdump packet analyzer to sniff the network traffic on the local subnets in the attempt to gain access to other info to use in the attack. The attackers also dropped a simple shell script on the compromised IoT device in order to achieve persistence.

STRONTIUM IoT attacks

Experts pointed out that even if they were able to attribute the attack to the STRONTIUM cyberespionage group, they were unable to determine the end goal of these intrusions because they were detected within the early stages.

Microsoft confirmed that in the last year it has delivered nearly 1400 nation-state notifications to entities that have been targeted or compromised by STRONTIUM. 20% of the attacks hit non-governmental organizations, think tanks, or politically affiliated organizations around the world. 80% of the attacks targeted organizations in multiple sectors such as government, IT, military, defense, medicine, education, and engineering.

“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives.” concludes Microsoft. “These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments.”

The Microsoft Threat Intelligence Center published a list of indicators of compromise (IOCs) related to the recent attacks against IoT devices.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Russia APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT28 Hacking hacking news information security news IoT Pierluigi Paganini Security Affairs Security News STRONTIUM

you might also like

Pierluigi Paganini July 29, 2025
Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data
Read more
Pierluigi Paganini July 28, 2025
U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

    Hacking / July 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT