Russian hackers exploit WiFi using nearest-neighbor attack

Russian hackers used a ‘nearest-neighbor attack’ through WiFi to breach a US company, trying to infiltrate Ukraine-related projects.

What happened

APT28, a Russian-backed hacker group also known as Fancy Bear, breached a U.S. company’s enterprise WiFi network using a novel tactic called a nearest-neighbor attack. The hackers, part of Russia's military intelligence agency, gained access by first compromising a nearby organization within WiFi range and pivoting to their target.

The breach was discovered on February 4, 2022, by cybersecurity company Volexity, which detected suspicious activity on a server belonging to a customer working on Ukraine-related projects in Washington, D.C.

Going deeper

APT28 used password-spraying attacks to steal credentials from public-facing services. Although multi-factor authentication (MFA) blocked remote access, the hackers exploited a weakness: MFA wasn’t required for direct WiFi connections.

To bridge the distance, they targeted nearby organizations and used dual-home devices connected to wired and wireless networks as a gateway to the target’s WiFi. They created connections through multiple organizations and found a device within range of the victim’s conference room.

Using remote desktop tools and Windows utilities, they escalated privileges and stole sensitive data. Reports indicate they also exploited a Windows Print Spooler zero-day (CVE-2022-38028) for deeper access, showing how proximity attacks can now be done remotely.

What was said

According to Volexity, “GruesomeLarch [APT28] was actively targeting Organization A to collect data from individuals with expertise on and projects actively involving Ukraine.” Microsoft’s report also revealed that the attackers escalated privileges and delivered critical payloads by exploiting vulnerabilities within the victim’s network.

The big picture

As companies step up security for internet-connected devices, it’s just as important to focus on WiFi networks. Treating WiFi access like any other remote access point and putting solid protections in place can help prevent attacks. This breach is a reminder to tackle hidden weak spots in enterprise systems, especially in situations with geopolitical risks.

FAQs

What is a nearest-neighbor attack?

A nearest-neighbor attack is a tactic where hackers target one organization’s WiFi network within range of another, using the first as a stepping stone to breach the second. This often involves compromising devices that are connected to both networks.

What is MFA, and how did it fail here?

Multi-factor authentication (MFA) adds a layer of security by requiring additional verification beyond a password. In this case, MFA blocked remote access but wasn’t required for direct WiFi connections, allowing the hackers to bypass it.

What is a zero-day vulnerability?

A zero-day vulnerability is a software flaw that hackers exploit before it’s patched by the vendor. APT28 used a Windows Print Spooler zero-day (CVE-2022-38028) to escalate access and steal sensitive data during the attack.