Novel attack unveiled: Russian hackers using neighbors’ WiFi to launch attacks


Russian state hackers have devised a novel attack method to infiltrate organizations by exploiting nearby WiFi networks. Operating from thousands of miles away, they chain vulnerable WiFi devices until they reach their primary target.

You’ve got your network secured, but has your neighbor? Russian threat actor APT28, also known as Fancy Bear, Forest Blizzard, or Sofacy, is leveraging WiFi networks in close proximity to the intended target, a report by the cybersecurity firm Volexity reveals.

In the described case, the intruders hopped from Organization C’s WiFi to Organization B’s WiFi before finally reaching Organization A.

ADVERTISEMENT

This technique, dubbed the Nearest Neighbor Attack, was used to bypass Organisation A's multifactor authentication (MFA) security defense.

APT28 is a threat actor attributed to a unit of Russia’s General Staff Main Intelligence Directorate (GRU). The hackers breached an undisclosed organization’s network by connecting to their enterprise WiFi network.

“The threat actor accomplished this by daisy-chaining their approach to compromise multiple organizations in close proximity to their intended target, Organization A. This was done by a threat actor who was thousands of miles away and an ocean apart from the victim,” the report reads.

How does the attack work?

APT28 resorted to the new attack after it was unable to compromise Org A using valid credentials obtained via password spray. The MFA stopped it.

The enterprise WiFi network, however, only required a valid username and password.

So, the cyberspies developed a strategy to breach another organization, that is physically close. They needed a so-called “dual-homed” system, which has both a wired and wireless network connection.

Volexity researchers have discovered that Russian hackers breached more than one neighboring organization to attack their primary target.

ADVERTISEMENT

Using the system’s WiFi adapter, attackers would connect to the victim’s WiFi network, authenticate, and gain access.

attack-wifi

“The attacker was connecting to the network via wireless credentials they had brute-forced from an internet-facing service,” the report reads.

“The attacker was connecting to the same three wireless access points that were in a conference room at the far end of the building near windows along the street.”

The attacks came from the computer of another organization right across the street, which had been breached using privileged credentials via RDP (remote desktop protocol) from another system.

Attackers used a custom PowerShell script to examine the available networks within range and then connected to Organization A’s Enterprise WiFi using credentials they had compromised.

This attack is similar to the “close access” operations, that were previously carried out by hackers being in the near vicinity, i.e., by hiding radio equipment in the trunk of a vehicle. However, in this case, attackers were thousands of miles away.

What is even more interesting is that Organization B was also compromised operating from the neighboring WiFi network. Attackers connected to the WiFi similarly, and also accessed B’s VPN, which was not protected with MFA.

“The attacker had gone to great lengths to breach multiple organizations so they could daisy-chain WiFi and/or VPN connections to ultimately reach the network of Organization A.”

It’s unclear if there were more hops in the chain, as Organization C did not provide Volexity with access to key data.

ADVERTISEMENT

Attackers used sophisticated tactics

APT28 demonstrated sophisticated tactics in their intrusion. They relied on built-in Windows tools, such as Cipher.exe to permanently erase their tracks.

The attackers stole Active Directory data using an effective well-known approach – they created shadow copies of critical system files and used PowerShell commands to compress them before downloading.

“The majority of the data from this incident was copied back to the attacker’s system, which was connected to the WiFi,” Volexity described.

Occasionally, the attackers also used public-facing web servers for data exfiltration.

Hackers also used a post-compromise tool dubbed GooseEgg, based on a zero-day privilege escalation vulnerability.

“This attack has all the benefits of being in close physical proximity to the target, while allowing the operator to be thousands of miles away,” the researchers concluded. “

Konstancija Gasaityte profile Niamh Ancell BW Paulius Grinkevicius Ernestas Naprys
Get our latest stories today on Google News

The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed.”

Multiple challenges complicated the investigation, which began on February 4th, 2022, when the suspicious activity was first detected. Volexity encountered numerous dead ends, as the attack left little evidence behind. Wireless controller logs led to a breakthrough as they allowed to reveal the attacker’s MAC address.

ADVERTISEMENT

The attack was only possible because the targeted WiFi systems had lower security controls than other resources. Therefore, Volexity recommends creating separate networking environments for WiFi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources.

“Consider hardening access requirements for WiFi networks, such as applying MFA requirements for authentication or certificate-based solutions,” one of the recommendations reads.