Polonium.jpeg
aposemat1.jpg

Aposemat Polonium In My IoT (PIMI) Project

The goal of this research project is to investigate the relationship between big cyber crime players and IoT(Internet of Things) in the modern world. Our investigation of this relationship in a very general sense can be understood from three separate but related approaches.

The first angle is to start the investigation by looking at the IoT devices that are being attacked everyday in our IoT-Honeypot lab and try to gather information about who is attacking them. Our lab contains many devices found in normal homes, such as routers, Alexa, IoT cameras etc. For this method we use a variety of different methods including pivoting, manual IP research using tools like VirusTotal, PassiveTotal, Shodan, Machinae, Reputation Authority and others, all with varying results. So far, one of the most productive results of our work was the Attacker IP Prioritization Program (AIPP), a python program we developed that creates a list of prioritized attacking IPs based off of a number of traits gathered from the attacking IPs.

The second angle of investigation was to research known hacking groups and botnets, and try to connect them to the attacks on ours and others devices. This research is aimed at discovering if there are indications of traditional Windows botnets migrating to IoT, as well as what is the interest of large hacking groups in IoT. Is it simply to make money by selling infected devices, or do they have nefarious purposes like targeting specific social groups? Are they connected to government sponsored programs, such as the Fancy Bear cyber crime group? We also wish to better understand what methods they are using to get whatever it is that they want. Are they trying to implement more complex attacks that use machine learning and AI, or are they resorting to the simplistic yet effective methods used by botnet variants like Mirai?

Another output of our research will be updates on the current state of already known botnets. Are they still active? Are there still infected IPs communicating with their command and control servers (C&C’s)? What are the IPs of the active C&C’s? What kind of devices are connected to these servers? How often? These are the kinds of questions we will be doing our best to answer.

All of our research related to this project will be posted in a series of blog posts on this page.

Stay tuned for more information.