Russian state-sponsored hacking group GruesomeLarch (also known as APT28 or Fancy Bear) has demonstrated a sophisticated new attack technique dubbed the “Nearest Neighbor Attack,” which allows remote hackers to breach organizations by exploiting Wi-Fi networks of neighboring businesses.
This novel technique allowed hackers to breach an organization’s network from thousands of miles away without malware and by exploiting the Wi-Fi networks of nearby businesses.
The attack, discovered by cybersecurity firm Volexity in February 2022, just before the Russian invasion of Ukraine, revealed how hackers thousands of miles away could gain unauthorized access to their target’s network without being physically present
Nearest Neighbor Attack
The attack, which took place in early February 2022, just before the Russian invasion of Ukraine, targeted an unnamed organization (referred to as “Organization A”) with expertise and projects related to Ukraine. The hackers employed a multi-step approach to gain access to the target’s network:
- Password spraying: The attackers first compromised user credentials through password spray attacks against Organization A’s public-facing services.
- Wi-Fi exploitation: Unable to bypass multi-factor authentication (MFA) on internet-facing services, the hackers focused on the organization’s Enterprise Wi-Fi network, which only required a username and password.
- Daisy-chaining: To connect to Organization A’s Wi-Fi from afar, the attackers compromised systems in nearby buildings, looking for dual-homed computers with both wired and wireless connections.
- Lateral movement: Once inside the network, the hackers used living-off-the-land techniques, leveraging native Windows tools to avoid detection.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The investigation revealed that GruesomeLarch had successfully breached multiple organizations in close proximity to their primary target. This allowed them to connect to Organization A’s Enterprise Wi-Fi network from a compromised system in a nearby building.
Volexity’s team encountered several challenges during the investigation, including the attacker’s use of anti-forensic techniques. The hackers utilized the Windows Cipher.exe utility to cover their tracks, complicating secure file recovery.
The breach was eventually traced back to an organization (“Organization B”) located across the street from the primary target. Further analysis uncovered a third compromised entity (“Organization C”), demonstrating the attacker’s persistence in daisy-chaining connections to reach their ultimate goal.
In a final attempt to regain access, the hackers exploited a vulnerability in Organization A’s Guest Wi-Fi network, which was not completely isolated from the corporate wired network. This allowed them to pivot back into the main network and access high-value data.
The attack has been attributed to GruesomeLarch based on the use of a post-compromise tool called GooseEgg, which matches the description provided in a Microsoft report from April 2024.
This incident highlights the evolving nature of cyber threats and the need for organizations to reassess their Wi-Fi security measures. Volexity recommends implementing multi-factor authentication for Wi-Fi access, creating separate networking environments for Wi-Fi and Ethernet connections, and monitoring for anomalous use of native Windows utilities.
The Nearest Neighbor Attack represents a new class of cyber threats, combining the benefits of close physical proximity with the ability to operate from a great distance. As organizations continue to strengthen their internet-facing defenses, attackers are finding creative ways to exploit overlooked vulnerabilities in Wi-Fi networks and adjacent systems.
Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free