Russian Hackers Breach U.S. Firm via ‘Nearest Neighbor Attack’ Using WiFi

November 22, 2024

Russian state hackers, known as APT28, have successfully breached a U.S. company's enterprise WiFi network using a novel 'nearest neighbor attack' technique. Despite being thousands of miles away, the hackers compromised a nearby organization within WiFi range and used it as a pivot to reach their target. The attack was detected on February 4, 2022, by cybersecurity firm Volexity, which had been monitoring the hackers, codenamed 'GruesomeLarch'. APT28, which is linked to Russia's military unit 26165 in the General Staff Main Intelligence Directorate (GRU), has been conducting cyber operations since at least 2004.

Initially, the hackers obtained the target's enterprise WiFi network credentials through password-spraying attacks. However, the presence of multi-factor authentication (MFA) protection prevented them from using these credentials over the public web. To circumvent this, the hackers compromised another organization and searched for dual-home devices, such as laptops and routers, which could connect to the target's enterprise WiFi.

Volexity discovered that APT28 compromised multiple organizations during this attack, using valid access credentials to daisy-chain their connection. Ultimately, they found a device within range that could connect to three wireless access points near a victim's conference room. Using a remote desktop connection (RDP) from an unprivileged account, the hackers could then move laterally on the target network, searching for systems of interest and exfiltrating data.

The hackers used a script named 'servtask.bat' to dump Windows registry hives (SAM, Security, and System), compressing them into a ZIP archive for exfiltration. They generally used native Windows tools to minimize their footprint while collecting data. Volexity further determined that GruesomeLarch was actively targeting Organization A in order to collect data from individuals with expertise on and projects actively involving Ukraine.

While Volexity was initially unable to attribute the attack to any known threat actors, a subsequent report from Microsoft revealed indicators of compromise (IoCs) that matched Volexity's observations, pointing to the Russian threat group. According to Microsoft's report, it's highly likely that APT28 was able to escalate privileges before running critical payloads by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim's network as a zero day.

The 'nearest neighbor attack' by APT28 demonstrates that close-access operations, typically requiring proximity to the target, can be conducted from a distance, eliminating the risk of physical identification or capture. This highlights the need for corporate WiFi networks to be treated with the same level of security as other remote access services, especially in the light of improved security measures for internet-facing devices.

Related News

• CISA Catalogs Microsoft Windows Print Spooler Flaw Exploited by APT28
• Russian APT28 Hackers Exploit Windows Flaw Highlighted by NSA

Latest News

• APT-K-47 Utilizes Hajj-Related Deception to Distribute Enhanced Asyncshell Malware
• Palo Alto Networks Firewalls Compromised by Hackers Exploiting Recent Vulnerabilities
• Google's AI-Driven OSS-Fuzz Uncovers 26 Flaws in Open-Source Projects
• Apple Patches Two Zero-Day Vulnerabilities in Intel-Based Macs
• CISA Identifies Actively Exploited Vulnerability in Progress Kemp LoadMaster