Proving the Business Case for the Internet of Things

Microsoft blames Strontium for attacks on IoT devices

Steve Rogerson
August 13, 2019
Microsoft has accused the Russian-based Strontium group of being behind nearly 1400 attacks on IoT devices in the past year.
Over the last twelve months, Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by Strontium. One in five notifications of Strontium activity were tied to attacks against non-governmental organisations, think tanks or politically affiliated organisations around the world. The remaining 80% of Strontium attacks have largely targeted organisations in government, IT, military, defence, medicine, education and engineering.
Microsoft said in a blog post that it has also observed and notified Strontium attacks against Olympic organising committees, anti-doping agencies and the hospitality industry. The VPN Filter malware has also been attributed to Strontium by the FBI.
“We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as Strontium,” said the blog post. “Since we identified these attacks in the early stages, we have not been able to conclusively determine what Strontium’s ultimate objectives were in these intrusions.”
Microsoft said it was sharing this information to raise awareness of these risks across the industry and calling for better enterprise integration of IoT devices, particularly the ability to monitor IoT device telemetry within enterprise networks.
“Today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined,” said the blog post. “With each networked IoT device having its own separate network stack, it’s quite easy to see the need for better enterprise management, especially in today’s bring-your-own-device world.
“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives. These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments.”
Microsoft says it has shared this information with the manufacturers of the specific devices involved and they have used this event to explore new protections in their products.
“However, there is a need for broader focus across IoT in general, both from security teams at organisations that need to be more aware of these types of threats, as well as from IoT device makers who need to provide better enterprise support and monitoring capabilities to make it easier for security teams to defend their networks,” said the blog post.
Microsoft recommends the following actions to secure and manage risks associated with IoT devices:

  • Require approval and cataloguing of any IoT devices running in the corporate environment.
  • Develop a custom security policy for each IoT device.
  • Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
  • Use a separate network for IoT devices if feasible.
  • Conduct routine configuration and patch audits against deployed IoT devices.
  • Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic and capture of device images for forensic investigation.
  • Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
  • Monitor IoT device activity for abnormal behaviour, such as, say, a printer browsing SharePoint sites.
  • Audit any identities and credentials that have authorised access to IoT devices, users and processes.
  • Centralise asset, configuration and patch management if feasible.
  • If devices are deployed or managed by a third party, include explicit terms in contracts detailing security practices to be followed and audits that report security status and health of all managed devices.
  • Where possible, define SLA terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their products.