Russian hackers attack innocent companies to gain access to their neighbors
- Russian cyber espionage group APT28 linked to ‘Nearest Neighbor Attack’
- The victim’s Wi-Fi network was secured, but the neighbor’s was not
- The timing corresponds to Russia’s invasion of Ukraine in 2022
Russian cyber espionage group APT28, also known as Fancy Bear, managed to breach the network of an American company by using a ‘Nearest Neighbor Attack’, exploiting nearby Wi-Fi networks.
First identified by cybersecurity firm Volexity in February 2022, the attack raises new concerns about vulnerabilities in companies’ Wi-Fi systems.
In this case, APT28, tracked by Volexity as ‘GruesomeLarch’, targeted an American organization involved in Ukrainian projects, hence the nation-state’s interest in the company.
‘attack nearest neighbor’
The attack on the unnamed US company – a Volexity customer whose identity is protected – began with password spouting to obtain login details for the victim’s corporate Wi-Fi network. The company’s multi-factor authentication protected its public systems, but the hackers then turned to a nearby organization to force access.
Volexity explained: “The threat actor was on the other side of the world and could not connect to it [the victim’s] Enterprise Wi-Fi network. To overcome this hurdle, the threat actor attempted to compromise other organizations located in buildings in close proximity [the victim’s] office. Their strategy was to penetrate another organization.”
APT28 used a device connected to both wired and wireless networks. It acted as a bridge to the target’s corporate Wi-Fi, allowing lateral movement and data exfiltration.
Furthermore, the attackers used native Windows tools such as Cipher.exe to wipe evidence, making it difficult to detect and trace the attack. They also exploited a zero-day vulnerability in the Windows Print Spooler service to escalate privileges within the victim’s network.
Given that the attack took place weeks before Russia’s invasion of Ukraine, its geopolitical significance is consistent with the choice of target.
Volexity now advises all companies to monitor suspicious activity, create separate network environments for Wi-Fi and Ethernet networks and implement authentication and certificate-based solutions.