Moving forward in the hunt for IoT, it will be a competition among attackers to find IoT vulnerabilities, compromise those devices, and build the strongest thingbot—much like we see today with traditional IT infrastructure.

The thingbot discovery timeline shows the evolution of the hunt for IoT through the discovery of thingbots over the past decade, their protocol exploit methods, the devices they target, and the attacks they launch.

Our research shows that there are new threat actor networks and IP addresses continually joining the IoT hunt, and there are consistent top threat actors over time—perhaps using favored networks. Networks that allow attackers to do whatever they want with little to no involvement (bulletproof hosting providers) or have limited ability to detect and respond to abuse (residential IoT devices in telecom networks). What’s more interesting is the pattern created by the count of attacks by IP address and the count of IP addresses used inside networks. The pattern is too clean to be random. It appears calculated and automated. In the same way the networks being used are intentionally picked, the number of systems and IP addresses used within those networks (and the number of attacks they launch) are calculated to avoid detection, and it’s all automated with the same code. We haven’t pinpointed the threat actors, but we see their strategy in action.

Below is a summary of our key findings based on data collected from July through December 2017:

• Telnet brute force attacks against IoT devices rose 249% year over year (2016–2017).
• 44% of the attack traffic originated from China, and from IP addresses in Chinese networks that were top threat actor networks in prior reports. Behind China in total attack volume was the U.S., followed by Russia.
• We have consistently seen the same attacking IP addresses and networks over the span of our two-year research, proving that this abusive traffic is either not being detected, or it’s being allowed. Because of this, we have published the top 50 attacking IP addresses.
• The destinations of attack traffic span the globe, presumably without bias. Wherever vulnerable IoT infrastructure is deployed, attackers are finding it. The most attacked countries were the U.S., Singapore, Spain, and Hungary.
• Attackers have already begun to use other methods of finding and compromising IoT devices, which we will profile in future reports.
• Despite broad awareness of Mirai, it’s growing in size. From June to December 2017, it grew significantly in Latin America and moderately in Europe and Asia.
• Persirai has slightly declined in size over the last six months, most notably in India and Central Asia.

To see the full version of this report, click “Download” below.