Why Advanced Persistent Threats Are Targeting the Internet of Things

Binary Code, Target, Blue Background

Despite an increased focus on cyber security in recent years, the number of data breaches continues to rise. As enterprises focus more (and spend more) on security, cyber criminals are stepping up their efforts. We especially see this in the realm of advanced persistent threats (APTs) directed at Internet of Things devices.

There is great incentive, both financial and otherwise, driving contemporary cyber criminals. Ransomware packages are easily available on the Dark Web, and ransomware provides strong financial motivation for criminals. Nation-state threat actors have also entered the threat landscape, carrying out politically motivated attacks.

For these and other reasons, the number of malware strains is increasing overall, and the malware produced is becoming more advanced as companies step up their cyber defense efforts.

This trend is not likely to end anytime soon – there is too much incentive for the bad guys.

Meanwhile, the Internet of Things Is Growing

The Internet of Things (IoT) refers to the network of internet-enabled devices used by consumers and businesses alike. Everything from a network-connected pacemaker to a Nest smoke detector to a self-driving Tesla is an IoT device.

IoT devices are only increasing in popularity. Unfortunately, IoT cyber attacks are also growing in popularity. IoT attacks:

  • Are easy to start thanks to publicly available code, both on the Dark Web and in code repositories like GitHub
  • Have a high success rate
  • Are difficult to detect and remediate, enabling APTs
  • Can allow an attacker to gain a foothold inside an organization's network
  • Can allow an attacker to add more devices to their botnet (botnets can be used for DDoS attacks, spamming, etc.)

The number of vulnerabilities is growing overall, and Internet of Things vulnerabilities in particular are on the rise.

Internet of Things Attack Surfaces

Attackers begin by looking for vulnerable IoT devices and trying to compromise them. Attackers can do this en masse. They can afford to fail to hack devices over and over again, but IoT devices only have to succumb to an attack once to be compromised.

Making matters worse, IoT devices often have a number of vulnerabilities, both known and unknown. The number of IoT vulnerabilities is increasing, and users often fail to apply patches or install updates in a timely fashion, making it that much easier for attackers to compromise devices.

Another area of concern is that IoT devices often come with default credentials that are never updated. This renders the issue of vulnerabilities and patching practically moot: If an attacker can just brute-force the credentials, or obtain them from a publicly available list, then the device might as well be already compromised.

Some Characteristics of IoT Advanced Persistent Threats

Evasion techniques

Advanced persistent threats are often designed to evade detection “ via code obfuscation, virtual environment detection, and many other methods.

Concealment techniques

Cyber criminals are getting better all the time at hiding the malware infecting a system.


Many APTs, in addition to remaining on a system persistently, seek out other systems to infect.

Resource efficiency

This is a factor that separates IoT APTs from the traditional APT on a regular computer. IoT APTs need less than 5% of the computing power of an average device in order to operate, and sometimes, the malware is smart enough to adjust itself after detecting the device's memory capacity.

The New IoT Cyber Kill Chain

The cyber kill chain is the series of steps carried out by threat actors. Each step can in theory be identified and blocked by cyber defenses. Lockheed Martin described the "Cyber Kill Chain" for APTs thusly:

Old Cyber Kill Chain

Click to expand

However, for IoT devices, there are additional steps in the kill chain that make IoT APTs all the more threatening. The new IoT kill chain looks like this:

New Internet of Things Cyber Kill Chain

Click to expand

IoT APTs do not merely want to infect a single device or network; they want to proliferate to other devices and conceal themselves so that they can remain persistent.

IoT Defense Strategies

System upgrades are essential for patching vulnerabilities, but they are often either unfeasible or not carried out for other reasons. Once the patch is released, attackers may just be able to reverse-engineer the exploit – making non-updated devices vulnerable. Additionally, vendors often cannot or will not keep up with patching all the vulnerabilities that are discovered in their products.

Quarantining is a possible solution when infections occur. But again, because of real-world constraints, it may be impossible or impractical to quarantine devices. For instance, it may be difficult to quarantine a security camera that shows signs of being compromised but is essential for monitoring building security.

IoT APT: OPSWAT's Recommended Defense Strategies

To stop IoT APTs, blocking all threats hidden in data “ not just most threats, but all threats “ is necessary. Again, cyber criminals can easily afford to fail, but cyber defenses have to be successful at all times.

Detection-based defenses are vulnerable to malware concealment techniques. Advanced threats can even fool sandboxes by executing randomly, or by detecting whether or not it is in a virtual environment before executing. Additionally, even the best anti-malware detection technology may not see a zero-day threat coming.

OPSWAT believes in combining detection-based strategies with advanced threat prevention. Our data sanitization (CDR) technology neutralizes threats in any documents or images entering a network by disarming and reconstructing the files with potentially malicious content removed. Any file can and should go through this process, whether or not a threat is detected.

In addition to leveraging data sanitization (CDR), organizations that use IoT devices should follow security best practices as much as possible by updating devices regularly and resetting default login credentials. Finally, network-enabled devices should only be connected to the larger internet if it is absolutely necessary to do so.