Russian hackers affiliated with the country’s military intelligence agency (GRU) have developed a sophisticated method to breach Wi-Fi networks in foreign countries while operating remotely from Russia. The technique involves compromising nearby devices connected to vulnerable Wi-Fi networks and using them to infiltrate target systems.
Cybersecurity firm Volexity uncovered the method it dubbed the Nearest Neighbor Attack during an investigation into a breach that occurred in early 2022. The adversary targeted a Washington-based organization working in support of Ukraine. To infiltrate the system hackers used a multi-step infiltration strategy, compromising Wi-Fi networks in a building adjacent to the target. By chaining access through several networks, they ultimately gained entry into the primary target’s system.
The breach has been attributed to a threat actor Volexity tracks as GruesomeLarch (publicly known as APT28, Forest Blizzard, Sofacy, Fancy Bear, or Unit 26165). This GRU-linked group is infamous for high-profile cyberattacks, including the 2016 breach of the Democratic National Committee and a 2018 attempt to hack the Organization for the Prohibition of Chemical Weapons (OPCW) using radio equipment.
A month-and-a-half-long investigation revealed that the attacker breached victim’s enterprise Wi-Fi network by leveraging compromised nearby organizations in a daisy-chain fashion, despite being thousands of miles away from the target. The group obtained valid credentials through password-spraying attacks against public-facing services of the victim organization.
Although public serves were protected using multi-factor authentication (MFA), the enterprise Wi-Fi required only a username and password for access, the researchers noted.
bypass physical limitations, the attacker breached organizations in proximity to the victim ans utilized dual-homed systems (connected to both wired and wireless networks) to exploit Wi-Fi adapters to access victims’ Wi-Fi from the compromised systems.
The analysis of wireless access points revealed the attacker was connecting from specific conference rooms near external windows. The threat actor used a custom PowerShell script to scan for and connect to available Wi-Fi networks using stolen credentials. Further investigation uncovered that compromised credentials and RDP access were used to breach a dual-homed system. The attacker used VPN credentials and connections via other nearby organizations to maintain access.
Despite remediation steps that were implemented in the wake of the attack, the threat actor later regained access through a guest Wi-Fi network, exploiting a failure to reset some compromised credentials and misconfigured isolation between the guest Wi-Fi and corporate wired network.