Microsoft has attributed the attacks to a group called Strontium, otherwise known as Fancy Bear and APT28. If you'll recall, Fancy Bear is believed to be a group of state-sponsored Russian hackers involved in the 2016 DNC hack, various infiltration attempts on US officials and attempts to disrupt the EU elections earlier this year. Microsoft was able to identify the attacks in their early stages, though, so the group's objectives remain unclear. What's crystal is that the IoT devices became points of entry for the infiltrators, allowing them to look for a way to dig deeper into the network.
The company explained:
"After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server."
Microsoft said it has already delivered "1,400 nation-state notifications" to those who've been targeted by Strontium. Most of them were attacks targeting government, IT, military, defense, medicine, education and engineering sectors. One in five, however, targeted non-government organizations, think tanks and politically affiliated groups around the world.
The tech giant is now encouraging organizations to protect their networks by securing their IoT devices. It's also worth noting that Microsoft supports the FIDO Alliance's goal to establish a password-less security standard for the IoT industry.