Fancy Bear is back to its old tricks of exploiting IoT and doing network recon
In a new intelligence report on threats was released this week by Microsoft, which claims to have detected resumed activity, in the form of Internet of Things (IoT) device compromise, from Russian hacking group Fancy Bear.
The group, alternatively known by its STRONTIU or APT28 designations and thought to be an arm of Russian state intelligence, was found to have taken control of networked appliances such as printers as a way of pivoting deeper into the network. Once inside, the attackers would then find vulnerable, secluded portions of it to establish persistence and, finally, phone home to command and control servers. According to Microsoft’s findings, the attackers primarily targeted critical government or civic infrastructure including political, defense, medical, and engineering networks.
It is not clear whether the organizations whose networks were breached were the ultimate intended targets, or simply cover for hiding resources for later use. If the attribution to Fancy Bear is accurate, these reported intrusions would constitute the latest in a long string of attack from the group that depends heavily on IoT compromise.
Fancy Bear is most famous for infiltrating the network of the Democratic National Committee in 2016, but their oeuvre is otherwise largely based on breaking into routers and other small network appliances. In 2017, the group turned its attention to hotel networks, which they seized control of by exploiting network equipment. The group followed that up with the VPNFilter attack last year, which also took over routers.
This recent pattern from Fancy Bear brings an evolving picture of the Russian state-sponsored hackers into sharper resolution. Whereas the group formerly appeared content to break into specific kinds of networks simply to monitor them, Fancy Bear’s attack on hotel Wi-Fi positioned them to spy on guests of those hotels. The IoT compromise that Microsoft detailed fits a new pattern of conducting reconnaissance on networks they breach and following up with corresponding next steps.
The fact that Fancy Bear’s predisposition toward IoT has not changed should come as no surprise, as the perennially weak security of this class of devices provides ample attack surface. It is for this reason that some of the biggest DDoS attacks to date have been executed by enormous global botnets of IoT devices, such as the Mirai botnet.