APT28 Intrusion - Corporate IoT (Aug 5, 2019)
In April 2019, Microsoft Threat Intelligence Center researchers discovered infrastructure of the Russian cyber espionage Advanced Persistent Threat (APT) group APT28 communicating to several external devices. The target was not named in this instance, however, APT28 attacks have largely targeted governmental organizations, as well as companies focused on defense, education, engineering, IT, medicine, and military. Researchers uncovered attempts by the group to compromise popular Internet of Things (IoT) devices (a voice over IP phone, an office printer, and a video decoder) across multiple locations. The actor used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance, the latest security update had not been applied to the device. Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.