Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack'

Russian state hackers APT28 (Fancy Bear/Forest Blizzard/Sofacy) breached a U.S. company through its enterprise WiFi network while being thousands of miles away, by leveraging a novel technique called "nearest neighbor attack."

The threat actor pivoted to the target after first compromising an organization in a nearby building within the WiFi range.

The attack was discovered on February 4, 2022, when cybersecurity company Volexity detected a server compromise at a customer site in Washington, DC that was doing Ukrainian-related work.

APT28 is part of Russia's military unit 26165 in the General Staff Main Intelligence Directorate (GRU) and has been conducting cyber operations since at least 2004.

The hackers, which Volexity tracks as GruesomeLarch, first obtained the credentials to the target's enterprise WiFi network through password-spraying attacks targeting a victim's public-facing service.

However, the presence of multi-factor authentication (MFA) protection prevented the use of the credentials over the public web. Although connecting through the enterprise WiFi did not require MFA, being "thousands of miles away and an ocean apart from the victim" was a problem.

Leave a Comment