Bottom Line Up Front: Internet of Things (IoT) devices have become critical intelligence gathering tools and attack vectors in modern warfare, with nation-states like Iran using hijacked security cameras to improve missile targeting and China operating massive botnets of compromised consumer devices for espionage and DDoS attacks. Understanding the complete attack lifecycle and implementing proper security measures can protect individuals from becoming unwitting participants in state-sponsored cyber operations.

The New Battlefield: IoT Devices in Modern Warfare

The proliferation of connected devices has fundamentally transformed the landscape of modern warfare. Iran is hijacking home security cameras to obtain knowledge of Israel's movements and People's Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices,

including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a "botnet") positioned for malicious activity.

Iran's Camera Surveillance Campaign

Recent developments in the ongoing Israel-Iran conflict have highlighted how IoT devices serve as real-time intelligence gathering tools. "We know that in the past two or three days, the Iranians have been trying to connect to cameras to understand what happened and where their missiles hit to improve their precision," Refael Franco, the former deputy director general of the Israel National Cyber Directorate, said on Monday.

This sophisticated surveillance operation targets vulnerable security cameras to assess missile impact damage and refine future targeting. Attackers need only the right IP address and browser to spy on homes and even large companies. Finding IPs is easy because IoT search engines constantly probe the internet and flag all the exposed services.

China's Massive IoT Botnet Operations

China has taken a different but equally concerning approach, building enormous botnets from compromised consumer devices. The botnet, tagged with the moniker Raptor Train, is packed with hundreds of thousands of small office/home office (SOHO) and Internet of Things (IoT) devices, and has targeted entities in the U.S. and Taiwan across critical sectors, including the military, government, higher education, telecommunications, and the defense industrial base (DIB).

The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices. These operations are managed by state-linked entities, with Integrity Technology Group, a PRC-based company, has controlled and managed a botnet active since mid-2021.

The Complete IoT Attack Lifecycle

Understanding how adversaries weaponize IoT devices requires examining the complete cyber kill chain adapted for IoT environments:

Stage 1: Reconnaissance

In the reconnaissance stage, cybercriminals often move laterally across a network to reach their targets. Attackers identify vulnerable IoT devices using specialized search engines that scan the internet for exposed services. IoT devices, particularly items like security cameras, smart thermostats, wearables, and even coffee makers, are easy targets for kill chain intruders. They often have little or no security system.

Stage 2: Weaponization

The botnet uses the Mirai family of malware, designed to hijack IoT devices such as webcams, DVRs, IP cameras, and routers running Linux-based operating systems. The Mirai malware has become the weapon of choice because The Mirai source code was posted publicly on the Internet in 2016, resulting in other hackers creating their own botnets based on the malware.

Stage 3: Delivery and Initial Access

Most IoT compromises exploit weak default credentials. Many IoT devices often come with a default password — sometimes as simple as 1-2-3-4 — which is rarely changed by the user, according to experts. To recruit a new "bot," the botnet system first compromises an Internet-connected device using one of a variety of known vulnerability exploits.

Stage 4: Installation and Persistence

Once access is gained, attackers install persistent malware. The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices.

Stage 5: Command and Control (C2)

Sophisticated control infrastructure enables large-scale operations. The botnet's infrastructure is managed through a series of distributed payload and command and control (C2) servers, a centralised Node.js backend, and a cross-platform Electron application front-end called "Sparrow".

Stage 6: Actions on Objectives

The final stage varies by campaign goals:

• Intelligence Gathering: Real-time surveillance of military and civilian targets

• DDoS Operations: Overwhelming target networks with traffic

• Proxy Networks: Hiding the true source of attacks

• Lateral Movement: Using compromised devices as stepping stones to high-value networks

Why IoT Devices Are Attractive Targets

IoT devices present unique vulnerabilities that make them ideal for state-sponsored operations:

Limited Security Architecture: Internet connectivity is only part of what makes IoT devices work, and they may not have as much built-in security as computational devices and smartphones.

User Awareness Gap: While just about everyone knows their phone or laptop can be vulnerable to viruses and other malware, some users may be unaware that their IoT devices can also get hacked.

Silent Compromise: A compromised IoT device will typically keep functioning normally for the user. Besides bandwidth or power-usage issues, there aren't many clear signs that your IoT device has been hacked.

Essential Protection Measures for Average Users

Immediate Security Actions

Change Default Credentials: One of the first and most critical steps is to change the default credentials to something unique and secure. Use a combination of letters, numbers, and symbols, and avoid using the same password for multiple devices.

Enable Two-Factor Authentication: Two-factor authentication significantly helps to improve the security of IoT devices by necessitating a supplementary authentication step, such as a text message code or biometric input, in conjunction with a password.

Regular Firmware Updates: Manufacturers regularly release firmware updates to patch security vulnerabilities in IoT devices. Many users overlook this essential maintenance, leaving devices susceptible to known exploits.

Network-Level Protections

Network Segmentation: Securing IoT devices is crucial for safeguarding your home or workplace environment through network security measures like segmenting your network into parts to prevent unauthorized access to connected devices. Configure your router to create a separate network for your IoT devices. This can prevent an attacker from accessing sensitive data if one device gets compromised.

Router Security: Disable unused services and ports such as automatic configuration, remote access or file sharing protocols. Routers and IoT devices may provide features such as Universal Plug and Play (UPnP), remote management options and file sharing services, which threat actors may abuse to gain initial access.

Monitor Network Traffic: Monitor for high network traffic volume. Since DDoS attacks originating from botnets may at first appear similar to normal traffic, it is critical for organizations to define, monitor and prepare for abnormal network behavior.

Advanced Security Measures

Disable Unnecessary Features: IoT devices often come with unwanted features that could pose security risks. For example, if you don't use smart TV voice commands, consider disabling the microphone feature.

Regular Device Audits: Start with a network discovery process of all the existing IoT devices, including managed and partially managed devices. Understand what each type of device is, what operating system it is running on and which application and processes are installed on it.

Professional Security Solutions: You can enhance your home security solutions at the router level to manage, monitor and protect devices from exploitation. NETGEAR Orbi and Nighthawk routers, secured by NETGEAR Armor powered by Bitdefender, proactively blocks malicious traffic, and keeps your network functionality secure.

The Broader Implications

The weaponization of IoT devices represents a fundamental shift in modern warfare where civilian infrastructure becomes part of the battlefield. In North America alone, the number of IoT connections is predicted to hit 5.4 billion in 2025, making this an increasingly critical security challenge.

Government agencies have taken notice, with Ukraine banned surveillance cameras in 2022 amid a warning that Russia was using them to plan airstrikes and In the US, the Federal Communications Commission in 2022 banned Chinese-made surveillance equipment over national security concerns.

The transformation of everyday IoT devices into instruments of warfare and espionage represents one of the most significant security challenges of our time. From Iran's real-time missile targeting assessments using hijacked cameras to China's massive botnets targeting critical infrastructure, these operations demonstrate how civilian devices have become strategic assets in modern conflicts.

Leave a comment

Key Takeaways for Users:

• Change all default passwords immediately and enable two-factor authentication

• Keep firmware updated and create separate networks for IoT devices

• Monitor network traffic for unusual activity

• Disable unnecessary features and regularly audit connected devices

• Consider professional security solutions for comprehensive protection

The responsibility for securing IoT devices extends beyond individual users to manufacturers, service providers, and governments. However, by implementing these essential security measures, average users can significantly reduce the risk of their devices being conscripted into nation-state cyber operations and help protect the broader digital infrastructure we all depend on.

Stay Cyber Safe