- Russia’s APT28 cyber-espionage group linked to ‘Nearest Neighbor Attack’
- Victim’s Wi-Fi network was protected, but its neighbor’s wasn’t
- Timing aligns with Russia’s invasion of Ukraine in 2022
Russian cyber-espionage group APT28, also known as Fancy Bear, was able to breach an American company’s network by leveraging a ‘Nearest Neighbor Attack’ exploiting nearby Wi-Fi networks.
First identified by cybersecurity firm Volexity in February 2022, the attack raises new concerns about vulnerabilities in corporate Wi-Fi system.
In this case, APT28, tracked by Volexity as ‘GruesomeLarch,’ targeted a US organization engaged in Ukrainian-related projects, hence the nation-state’s interest in the firm.
‘nearest neighbour attacks’
The attack on the unnamed US company – a customer of Volexity’s whose identity has been protected – started with password-spraying to acquire credentials for the victim’s enterprise Wi-Fi network. The firm’s multi-factor authentication protected its public-facing systems however the hackers then turned to a nearby organization to force entry.
Volexity explained: “The threat actor was halfway around the world and could not actually connect to [the victim’s] Enterprise Wi-Fi network. To overcome this hurdle, the threat actor worked to compromise other organizations who were in buildings within close proximity to [the victim’s] office. Their strategy was to breach another organization.”
APT28 exploited a device that was connected to both wired and wireless networks – it acted as a bridge to the target’s enterprise Wi-Fi, enabling lateral movement and data exfiltration.
Furthermore, the attackers used native Windows tools like Cipher.exe to erase evidence, making it hard to detect and trace the attack. They also exploited a zero-day vulnerability in the Windows Print Spooler service to escalate privileges within the victim’s network.
Given that the attack took place weeks before Russia’s invasion of Ukraine, its geopolitical significance aligns with its choice of target company.
Volexity is now advising all companies to monitor suspicious activity, create separate networking environments for Wi-Fi and Ethernet networks, and apply authentication and certificate-based solutions.