Why Advanced Persistent Threats Are Targeting the Internet of Things

Originally published on January 09, 2018.

Why Advanced Persistent Threats Are Targeting the Internet of Things

Despite an increased focus on cyber security in recent years, the number of data breaches continues to rise. As enterprises focus more (and spend more) on security, cyber criminals are stepping up their efforts. We especially see this in the realm of advanced persistent threats (APTs) directed at Internet of Things devices.

There is great incentive, both financial and otherwise, driving contemporary cyber criminals.
Ransomware packages are easily available on the Dark Web, and ransomware provides strong financial motivation for criminals. Nation-state threat actors have also entered the threat landscape, carrying out politically motivated attacks.

For these reasons, along with others, the number of malware strains is increasing, and the malware produced is becoming more advanced as companies step up their cyber defense efforts.

This trend is not likely to end anytime soon as there is too much incentive for the bad guys.

Vulnerabilities in Internet of Things

The Internet of Things (IoT) refers to the network of internet-enabled devices used by consumers and businesses alike. Everything, from a network-connected pacemaker to a Nest smoke detector to a self-driving Tesla, is an IoT device.

IoT devices are only increasing in popularity. Unfortunately, IoT cyberattacks are also growing in popularity. IoT attacks:

  • Are easy to start thanks to publicly available code, both on the Dark Web and in code repositories like GitHub
  • Have a high success rate
  • Are difficult to detect and remediate, enabling APTs
  • Enable an attacker to gain a foothold inside an organization's network
  • Enable an attacker to add more devices to their botnet (botnets can be used for DDoS attacks, spamming, etc.)

The number of vulnerabilities is growing overall, and attacks against Internet of Things devices are particularly on the rise.

Internet of Things Attack Surfaces

Attackers begin by looking for vulnerable IoT devices and trying to compromise them. Attackers can do this en masse. They can afford to fail to hack devices over and over again, but IoT devices only have to succumb to an attack once to be compromised.

Making matters worse, IoT devices often have a number of vulnerabilities, both known and unknown. The number of IoT vulnerabilities is increasing, and users often fail to apply patches or install updates in a timely fashion, making it much easier for attackers to compromise devices.

Another area of concern is that IoT devices often come with default credentials that are never updated. This renders the issue of vulnerabilities and patching practically moot: If an attacker can just brute-force the credentials, or obtain them from a publicly available list, then the device might as well be already compromised.

Some Characteristics of IoT Advanced Persistent Threats

Advanced Malware Detection detects threats missed by antimalware engines

Evasion Techniques

Advanced persistent threats are often designed to evade detection via code obfuscation, virtual environment detection, and many other methods.

Advanced Malware Detection detects threats missed by antimalware engines

Concealment Techniques

Cybercriminals are getting better at hiding the malware infecting a system.

Advanced Malware Detection detects threats missed by antimalware engines


Many APTs, in addition to remaining on a system persistently, seek out other systems to infect.

Advanced Malware Detection detects threats missed by antimalware engines

Resource Efficiency

This is a factor that separates IoT APTs from the traditional APT on a regular computer. IoT APTs need less than 5% of the computing power of an average device in order to operate, and sometimes, the malware is smart enough to adjust itself after detecting the device's memory capacity.

The New IoT Cyber Kill Chain

The cyber kill chain is the series of steps carried out by threat actors. Each step can in theory be identified and blocked by cyber defenses. Lockheed Martin described the "Cyber Kill Chain" for APTs as:

The New Internet of Things Cyber Kill Chain

However, for IoT devices, there are additional steps in the kill chain that make IoT APTs all the more threatening. The new IoT kill chain looks like this:

IoT APTs do not merely aim to infect a single device or network; they proliferate to other devices and conceal themselves so that they can remain persistent.

IoT Defense Strategies

System upgrades are essential for patching vulnerabilities, but they are often either unfeasible or not carried out for other reasons. Once the patch is released, attackers may reverse-engineer the exploit, making non-updated devices vulnerable. Additionally, vendors often cannot or will not keep up with patching all the vulnerabilities that are discovered in their products.

Quarantining is a possible solution when infections occur. However, because of real-world constraints, it may be impossible or impractical to quarantine devices. For instance, it may be difficult to quarantine a security camera that shows signs of being compromised but is essential for monitoring building security.

IoT APT: OPSWAT's Recommended Defense Strategies

To stop IoT APTs, blocking all threats hidden in data is necessary. Again, cybercriminals can easily afford to fail, but cyber defenses have to be successful at all times.

Detection-based defenses are vulnerable to malware concealment techniques. Advanced threats can even fool sandboxes by executing randomly, or by detecting whether or not it is in a virtual environment before executing. Additionally, even the best anti-malware detection technology may not see a zero-day threat coming.

OPSWAT believes in combining detection-based strategies with advanced threat prevention. Our data sanitization (CDR) technology neutralizes threats in any documents or images entering a network by disarming and reconstructing the files with potentially malicious content removed. Any file can and should go through this process, whether or not a threat is detected.

Internet of Things APT: OPSWAT's Recommended Defense Strategies

In addition to leveraging data sanitization (CDR), organizations that use IoT devices should follow security best practices as much as possible by updating devices regularly and resetting default login credentials. Finally, network-enabled devices should only be connected to the larger internet if it is absolutely necessary to do so.

Talk to an Expert

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.