MSRC issues alert about widespread Corporate IoT vulnerability

In an August 5th post titled “Corporate IoT: A Path to Intrusion,” Microsoft’s Security Response Center outlines a major and under-reported vulnerability in corporate networks: The IoT.

The short of it is that earlier this year MSRC stumbled upon suspicious activity they have since attributed to an entity referred to as STRONTIUM, but better known to the public as “Fancy Bear” or APT28 – a known Russian cyberhacking group. What MSRC discovered was that the group was exploiting IoT devices on the edges of targeted networks as points of ingress. Specifically, the devices that first drew their attention to the problem were a VOIP phone, a printer, and a video decoder.

The process by which the group managed to do this was simple enough:

“Once the actor had successfully established access to the network,” the post explains, “a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.” 

But how did STRONTIUM hackers gain access to the IoT devices in the first place, I hear you ask? Simple: Two still operated behind their factory-default passwords, and the third was still running an old firmware version (with a known vulnerability).

Although MSRC doesn’t know exactly what STRONTIUM was after, the article points to a broad operation that extends far beyond those three devices. In the past year alone, Microsoft reports having delivered nearly 1400 nation-state notifications to targets of the group. 1 in 5 were NGOs, think tanks, and political organizations, but 4 in 5 were government (including military/defense), IT, healthcare, engineering, and education entities. Oddly enough, MSRC also reports having discovered attacks on “Olympic organizing committees, anti-doping agencies, and the hospitality industry.”

Furthermore,  ARS Technica reports that the problem may be much worse than has generally been reported by the mainstream press:

Last year, the FBI concluded the hacking group was behind the infection of more than 500,000 consumer-grade routers in 54 countries. Dubbed VPNFilter, the malware was a Swiss Army hacking knife of sorts. Advanced capabilities included the ability to monitor, log, or modify traffic passing between network end points and websites or industrial control systems using Modbus serial communications protocol. The FBI, with assistance from Cisco’s Talos security group, ultimately neutralized VPNFilter.”

This leads us to conclude that IT departments and device operators require more training and diligence to mitigate this growing vulnerability. MSRC kindly offers the following to-do list (pay particular attention to #4, and #8):

  1. Require approval and cataloging of any IoT devices running in your corporate environment.
  2. Develop a custom security policy for each IoT device.
  3. Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
  4. Use a separate network for IoT devices if feasible.
  5. Conduct routine configuration/patch audits against deployed IoT devices.
  6. Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
  7. Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
  8. Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
  9. Audit any identities and credentials that have authorized access to IoT devices, users and processes.
  10. Centralize asset/configuration/patch management if feasible.
  11. If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
  12. Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.

Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.

Author Information

Olivier Blanchard

Olivier Blanchard is Research Director, Intelligent Devices. He covers edge semiconductors and intelligent AI-capable devices for Futurum. In addition to having co-authored several books about digital transformation and AI with Futurum Group CEO Daniel Newman, Blanchard brings considerable experience demystifying new and emerging technologies, advising clients on how best to future-proof their organizations, and helping maximize the positive impacts of technology disruption while mitigating their potentially negative effects. Follow his extended analysis on X and LinkedIn.

Related Insights
Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?
July 8, 2026

Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?

Kore.ai and Atos announce a strategic partnership to deliver Sovereign AI solutions to UK organizations, addressing data residency and compliance requirements in the rapidly expanding $181B AI platforms market....
ServiceNow and Accenture Bet on Migration to Win Enterprise Risk
July 7, 2026

ServiceNow and Accenture Bet on Migration to Win Enterprise Risk

Fernando Montenegro, VP at The Futurum Group, examines the ServiceNow and Accenture cybersecurity offering, and why its AI-powered migration and the Armis acquisition point to a bid to become the...
Will Apple’s New Siri AI Deliver on the Promise of Apple Intelligence?
July 7, 2026

Will Apple’s New Siri AI Deliver on the Promise of Apple Intelligence?

Olivier Blanchard, Research Director at The Futurum Group, examines how Siri AI transforms Apple Intelligence from a feature set into a systemwide layer for apps, workflows, and user experiences across...
Amazon’s Sleep Studio Finally Strengthens the Value of Amazon Kids+
July 7, 2026

Amazon’s Sleep Studio Finally Strengthens the Value of Amazon Kids+

Olivier Blanchard, Research Director at The Futurum Group, examines how Amazon Sleep Studio expands Amazon Kids+ with bedtime content, scheduling tools, parental controls, and Echo device integrations for families....
Can ASUS Bring Data-Center-Class AI Infrastructure to the Deskside
July 7, 2026

Can ASUS Bring Data-Center-Class AI Infrastructure to the Deskside?

Olivier Blanchard, Research Director at The Futurum Group, examines how ASUS is bringing data-center-class AI infrastructure to the deskside with the ExpertCenter Pro ET900N G3 and what its local AI...
HP Expands OpenAI Frontier Adoption Across the Enterprise
July 7, 2026

HP Expands OpenAI Frontier Adoption Across the Enterprise

Olivier Blanchard, Research Director at The Futurum Group, examines how HP's OpenAI Frontier partnership moves beyond AI pilots toward a governed enterprise AI operating model spanning customer experiences, software development,...

Book a Demo

Welcome

The vision behind everything in Futurum’s Custom Research practice is this: research should show you what is happening, what comes next, and what to do about it. It should be personal to each audience, easy for people to grasp, and structured so LLMs can reason over it accurately. And it should be fast and turnkey; you want answers now, not another project to carry for quarters.

Whether you are defining business, channel, or go-to-market strategy; evaluating vendors or justifying ROI; or commissioning research to fill an emerging market need, we have your back, with a program that answers your questions with the objectivity and credibility to drive real decisions.

To do it, we bring unmatched data to bear: Futurum research, surveys, and market projections; validated market feeds; ETR’s 15 years of insight from 10,000 technology decision-makers; G2’s buyer and user data; and what our analysts hear every day. Add leading primary collection, from AI-moderated voice interviews to surveys and analyst-led interviews, all turnkey, and every project comes out credible, nuanced, and actionable.

And we don’t just drop the results in your lap. For internal work, we provide analyst-led sessions, interactive dashboards, and a range of formats. For market-facing work, Futurum delivers turnkey activation and amplification that actually gets seen, by people and by LLMs, through our media and share of voice. This is research that moves decisions and markets.

We will meet you wherever you are, from a fast-turn brief to a multi-year program, and shape the work to your goals, timeline, and budget. The right program for your moment.

If any of this is useful, I would love to talk.

Benjamin Brown, VP Custom Research, Futurum Research

Benjamin Brown

VP, Custom Research · The Futurum Group

Newsletter Sign-up Form

Get important insights straight to your inbox, receive first looks at eBooks, exclusive event invitations, custom content, and more. We promise not to spam you or sell your name to anyone. You can always unsubscribe at any time.

All fields are required






Thank you, we received your request, a member of our team will be in contact with you.