The Russian hacking group also known by aliases such as Pawn Storm, Sofacy Group, APT28, and Sednit, with the name "Fancy Bear" which was derived from a coding system used to identify them by the security researcher, Dmitri Alperovitch, are back in the news.

While Microsoft have long engaged in a silent war against the group, as they had mostly targeted Windows with their malware, and have chosen domain names heavily related to Microsoft products, which gave Microsoft a ground to carry out several lawsuit against them for reserving domain names that violate its trademarks.

The hacking group is believed to have links to Russia’s GRU military intelligence, which was responsible for IoT-based attack on some unnamed Microsoft product customers, with hundreds of thousands of business networking and storage devices have been compromised and loaded with so-called “VPN Filter” malware.

Microsoft Threat Intelligence Center researchers also discovered infrastructure communicating to several external servers, with attempts by the hackers to compromise popular IoT devices (including VOIP phone, office printer, and video decoder) across different locations.

According to the researchers, after gaining access to IoT devices, the hackers ran tcpdump to sniff network traffic on local subnets, and by enumerating administrative groups attempt, furthered the exploitation. The hackers were able to drop a simple shell script which enabled them to establish persistence on the network allowing extended access for exploitation.

The analysis of network traffic showed that the actors used stealthy means to gain initial access to corporate networks, albeit lack of full awareness by enterprises of the devices running on their networks could be blamed for the vulnerabilities.

Microsoft, however have shared the information with the manufacturers of the specific devices involved and have continued to explore new protections for their own products.

Microsoft traces the exploitation of IoT devices to the Russian hacking group, STRONTIUM



The Russian hacking group also known by aliases such as Pawn Storm, Sofacy Group, APT28, and Sednit, with the name "Fancy Bear" which was derived from a coding system used to identify them by the security researcher, Dmitri Alperovitch, are back in the news.

While Microsoft have long engaged in a silent war against the group, as they had mostly targeted Windows with their malware, and have chosen domain names heavily related to Microsoft products, which gave Microsoft a ground to carry out several lawsuit against them for reserving domain names that violate its trademarks.

The hacking group is believed to have links to Russia’s GRU military intelligence, which was responsible for IoT-based attack on some unnamed Microsoft product customers, with hundreds of thousands of business networking and storage devices have been compromised and loaded with so-called “VPN Filter” malware.

Microsoft Threat Intelligence Center researchers also discovered infrastructure communicating to several external servers, with attempts by the hackers to compromise popular IoT devices (including VOIP phone, office printer, and video decoder) across different locations.

According to the researchers, after gaining access to IoT devices, the hackers ran tcpdump to sniff network traffic on local subnets, and by enumerating administrative groups attempt, furthered the exploitation. The hackers were able to drop a simple shell script which enabled them to establish persistence on the network allowing extended access for exploitation.

The analysis of network traffic showed that the actors used stealthy means to gain initial access to corporate networks, albeit lack of full awareness by enterprises of the devices running on their networks could be blamed for the vulnerabilities.

Microsoft, however have shared the information with the manufacturers of the specific devices involved and have continued to explore new protections for their own products.

No comments