CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Russian Cyberspies Hacked Building Across Street From Target for Wi-Fi Attack

Russian cyberspy group APT28 conducted a Nearest Neighbor Attack, where it hacked into the building across the street from the victim for a Wi-Fi attack. 

Forrest Blizzard Russia APT

A Russian cyberespionage group was caught entering a targeted organization’s network through a Wi-Fi connection after hacking into the systems of an entity located across the street from the victim.

The attack, discovered in 2022, was investigated by cybersecurity firm Volexity, which identified the victim as Organization A. The attack was discovered right before Russia’s invasion of Ukraine and the hackers’ goal was apparently to obtain “data from individuals with expertise on and projects actively involving Ukraine”.

What makes the attack stand out is the use of what Volexity described as a new technique which the company has named Nearest Neighbor Attack.

According to Volexity’s investigation, the attacker managed to obtain credentials to an internet-facing service used by Organization A through password spraying, but the credentials could not be used due to multi-factor authentication. 

The attacker then came up with a plan to compromise the network of a different organization, located in a building in close proximity to Organization A. After gaining access to this other entity, named Organization B by Volexity, the hackers found a system connected to the network via a wired Ethernet connection. 

However, that device also had a Wi-Fi adapter, which the threat actor used to connect to the Wi-Fi network of Organization A across the street. 

Volexity also found evidence that the attacker had also compromised a third nearby organization, Organization C, from which they connected through Wi-Fi to both Organization B and Organization A. 

The attacker removed files and folders to cover its tracks, and achieved this by using a native Microsoft utility named Cipher.exe. This was the first time Volexity saw the abuse of this utility in an attack. 

The company initially had some difficulty in attributing the attack to a known threat actor, in large part due to the heavy use of living-off-the-land techniques, which make both detection and attribution more difficult. 

Advertisement. Scroll to continue reading.

However, a report published by Microsoft on a Russia-linked group named Forest Blizzard in April 2024 revealed significant overlaps in indicators of compromise.

Forest Blizzard is tracked by others as APT28, Sofacy, and Fancy Bear, and as GruesomeLarch by Volexity. 

“Volexity’s investigation reveals the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives. The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target, while allowing the operator to be thousands of miles away,” Volexity explained. 

“Organizations need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security,” it added. “A significant amount of effort over the last several years has been placed on attack surface reduction where Internet-facing services have been secured with MFA or removed altogether. However, the same level of care has not necessarily been given to Wi-Fi networks.”

Related: Russian Cyberespionage Group Hit 60 Victims in Asia, Europe

Related: Windows Zero-Day Exploited by Russia Triggered With File Drag-and-Drop, Delete Actions

Related: Microsoft Warns of Russian Spear-Phishing Attacks Targeting Over 100 Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.