A Russian cyberespionage group was caught entering a targeted organization’s network through a Wi-Fi connection after hacking into the systems of an entity located across the street from the victim.
The attack, discovered in 2022, was investigated by cybersecurity firm Volexity, which identified the victim as Organization A. The attack was discovered right before Russia’s invasion of Ukraine and the hackers’ goal was apparently to obtain “data from individuals with expertise on and projects actively involving Ukraine”.
What makes the attack stand out is the use of what Volexity described as a new technique which the company has named Nearest Neighbor Attack.
According to Volexity’s investigation, the attacker managed to obtain credentials to an internet-facing service used by Organization A through password spraying, but the credentials could not be used due to multi-factor authentication.
The attacker then came up with a plan to compromise the network of a different organization, located in a building in close proximity to Organization A. After gaining access to this other entity, named Organization B by Volexity, the hackers found a system connected to the network via a wired Ethernet connection.
However, that device also had a Wi-Fi adapter, which the threat actor used to connect to the Wi-Fi network of Organization A across the street.
Volexity also found evidence that the attacker had also compromised a third nearby organization, Organization C, from which they connected through Wi-Fi to both Organization B and Organization A.
The attacker removed files and folders to cover its tracks, and achieved this by using a native Microsoft utility named Cipher.exe. This was the first time Volexity saw the abuse of this utility in an attack.
The company initially had some difficulty in attributing the attack to a known threat actor, in large part due to the heavy use of living-off-the-land techniques, which make both detection and attribution more difficult.
However, a report published by Microsoft on a Russia-linked group named Forest Blizzard in April 2024 revealed significant overlaps in indicators of compromise.
Forest Blizzard is tracked by others as APT28, Sofacy, and Fancy Bear, and as GruesomeLarch by Volexity.
“Volexity’s investigation reveals the lengths a creative, resourceful, and motivated threat actor is willing to go to in order to achieve their cyber-espionage objectives. The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target, while allowing the operator to be thousands of miles away,” Volexity explained.
“Organizations need to place additional considerations on the risks that Wi-Fi networks may pose to their operational security,” it added. “A significant amount of effort over the last several years has been placed on attack surface reduction where Internet-facing services have been secured with MFA or removed altogether. However, the same level of care has not necessarily been given to Wi-Fi networks.”
Related: Russian Cyberespionage Group Hit 60 Victims in Asia, Europe
Related: Windows Zero-Day Exploited by Russia Triggered With File Drag-and-Drop, Delete Actions
Related: Microsoft Warns of Russian Spear-Phishing Attacks Targeting Over 100 Organizations