Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Russian Hackers Exploit Wi-Fi in Sophisticated New Attack

'Nearest Neighbor Attack' Bypasses Cyber Defenses by Breaching Wi-Fi Networks
Russian Hackers Exploit Wi-Fi in Sophisticated New Attack
Russian intelligence hackers could be inside this Wi-Fi router. (Image: Shutterstock)

A Russian cyberespionage group hacked a Washington, D.C.-based organization focused on Ukraine by deploying a new attack technique that exploits Wi-Fi connectivity, according to new research.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The hack took place just before Russia's invasion of Ukraine in 2022 and sparked what Volexity researchers called "one of the most fascinating and complex" investigations the cybersecurity firm has ever conducted. The firm unveiled what it dubbed a "nearest neighbor attack" Friday during the Cyberwarcon summit in Arlington, Virginia.

A hacking unit of the Russian General Staff Main Intelligence Directorate, better known as the GRU, breached the victim network after compromising a nearby organization, which it used as a jumping-off point to gain access to the target organization - specifically, by using a system at the third organization to connect to the victim's Wi-Fi network. The threat actor, officially Unit 26165 of the 85th Main Special Services Center, is tracked under the monikers APT 28, Forest Blizzard, Fancy Bear and by Volexity as "GruesomeLarch."

Russian state hackers had attempted to gain entry to the target's network by conducting a password-spray attack against a public entry point. But they were stymied by a multi-factor authentication requirement.

Their way in was to hack the network of a physically nearby organization and look for a system in range of the target's Wi-Fi signal. Because the target's Wi-Fi system didn't require multi-factor authentication, Russian hackers were able to login and obtain access to the network.

The nearest neighbor attack methodology could lead to a significant broadening of targeting and attacks, said Steven Adair, Volexity founder and president.

Hackers "are able to take an attack methodology that previously relied on being in close physical proximity to a target and are now doing it remotely while eliminating the risk associated with it," Adair told Information Security Media Group. "A threat actor can launch this type of attack with no fear of being physically discovered."

Volexity says the incident represents the first known instance of a new class of attack, "in which a threat actor compromises one organization and performs credential-stuffing attacks in order to compromise other organizations in close physical proximity via their Wi-Fi networks." Hackers can surpass the proximity limitations of Wi-Fi not through signal boosting, wireless relays or physical tradecraft. It's enough to hack a system that's already within range.

Volexity detected the hacking campaign on February 4, 2022, when hackers began exfiltrating data through compressed files. They used Microsoft's native Cipher.exe utility to evade detection by securely erasing files, also marking the first time Volexity observed an attacker "covering their tracks with anti-forensics methods."

Volexity gained a break in the investigation after discovering a wireless controller used to manage the victim organization's network that included detailed logs, allowing security analysts to uncover the IP address of the attacker. Analysts found the attacker connected to wireless access points near street-facing windows, indicating that the threat originated outside the building.

The nearest neighbor attack method proved so successful for Russian intelligence that it returned several months later using the same method, despite the victim hardening its network. The second attack penetrated the victim organization's guest Wi-Fi network. The organization thought it completely isolated its enterprise network from the guest network, but "there was one system that was accessible from both the Wi-Fi network and the corporate wired network."

Unit 26165 has played a key role in Russia's cyber offensive against Ukrainian critical infrastructure, carrying out extensive cyberespionage and hacking operations against energy facilities and other sectors, including transportation and government systems. Previous reports have indicated the threat group exploits known vulnerabilities and takes advantage of poorly configured networks to deploy malware worldwide (see: Ukraine Facing Phishing Attacks, Information Operations).


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.